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PREFACE 

This publication supersedes Federal Guidelines for Searching and Seizing Computers (1994), as 
well as the Guidelines’ 1997 and 1999 Supplements. Although the interagency group that produced the 
Guidelines achieved its goal of offering “systematic guidance to all federal agents and attorneys” in the 
law of computer search and seizure, intervening changes in law and the dramatic expansion of the 
Internet since 1994 have fostered the need for fresh guidance. This manual is designed to combine an 
updated version of the Guidelines ’ advice on searching and seizing computers with guidance on the 
statutes that govern obtaining electronic evidence in cases involving computer networks and the 
Internet. Of course, this manual is intended to offer assistance, not authority. Its analysis and 
conclusions reflect current thinking on difficult areas of law, and do not represent the official position of 
the Department of Justice or any other agency. It has no regulatory effect, and confers no rights or 
remedies. 

This publication was written by Orin S. Kerr of the Computer Crime and Intellectual Property 
Section of the U.S. Department of Justice, under the supervision of Martha Stansell-Gamm, Chief of the 
Computer Crime and Intellectual Property Section. The author gratefully acknowledges the assistance 
of Mark Eckenwiler, Scott Chamey, David Green, Jennifer Martin, Chris Painter, the members of the 
1999 CTC Working Group (especially Stephen Heymann), Jeff Singdahlsen, Mark Pollitt, Thos. 

Gregory Motta, Joanne Pasquerelli, and summer interns Dan Jackson and Avi lonescu. Electronic 
copies of this document are available from the Computer Crime and Intellectual Property Section’s web 
site, www.cybercrime.gov. Inquiries, comments, and corrections should be directed to Orin S. Kerr at 
(202) 514-1026. Requests for paper copies or written correspondence should be sent to the following 
address: 
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In the last decade, computers and the Internet have entered the mainstream of American life. 
Millions of Americans spend several hours every day in front of computers, where they send and receive 
e-mail, surf the Web, maintain databases, and participate in countless other activities. 

Unfortunately, those who commit crime have not missed the computer revolution. An increasing 
number of criminals use pagers, cellular phones, laptop computers and network servers in the course of 
committing their crimes. In some cases, computers provide the means of committing crime. For 
example, the Internet can be used to deliver a death threat via e-mail; to launch hacker attacks against a 
vulnerable computer network; to disseminate computer viruses; or to transmit images of child 
pornography. In other cases, computers merely serve as convenient storage devices for evidence of 
crime. For example, a drug kingpin might keep a list of who owes him money in a file stored in his 
desktop computer at home, or a money laundering operation might retain false financial records in a file 
on a network server. 

The dramatic increase in computer-related crime requires prosecutors and law enforcement agents 
to understand how to obtain electronic evidence stored in computers. Electronic records such as 
computer network logs, e-mails, word processing files, and “.jpg” picture files increasingly provide the 
government with important (and sometimes essential) evidence in criminal cases. The purpose of this 
publication is to provide Federal law enforcement agents and prosecutors with systematic guidance that 
can help them understand the legal issues that arise when they seek electronic evidence in criminal 
investigations. 

The law governing electronic evidence in criminal investigations has two primary sources: the 
Fourth Amendment to the U.S. Constitution, and the statutory privacy laws codified at 18 U.S.C. §§ 
2510-22, 18 U.S.C. §§ 2701-11, and 18 U.S.C. §§ 3121-27. Although constitutional and statutory issues 
overlap in some cases, most situations present either a constitutional issue under the Fourth Amendment 
or a statutory issue under these three statutes. This manual reflects that division: Chapters 1 and 2 
address the Fourth Amendment law of search and seizure, and Chapters 3 and 4 focus on the statutory 
issues, which arise mostly in cases involving computer networks and the Internet. 

Chapter 1 explains the restrictions that the Fourth Amendment places on the warrantless search 
and seizure of computers and computer data. The chapter begins by explaining how the courts apply the 
“reasonable expectation of privacy” test to computers; turns next to how the exceptions to the warrant 
requirement apply in cases involving computers; and concludes with a comprehensive discussion of the 
difficult Fourth Amendment issues raised by warrantless workplace searches of computers. Questions 
addressed in this chapter include: When does the government need a search warrant to search and seize a 
suspect's computer? Can an investigator search without a warrant through a suspect's pager found 
incident to arrest? Does the government need a warrant to search a government employee's desktop 
computer located in the employee’s office? 

Chapter 2 discusses the law that governs the search and seizure of computers pursuant to search 
warrants. The chapter begins by reviewing the steps that investigators should follow when planning and 
executing searches to seize computer hardware and computer data with a warrant. In particular, the 
chapter focuses on two issues: first, how investigators should plan to execute computer searches, and 
second, how they should draft the proposed search warrants and their accompanying affidavits. Finally, 
the chapter ends with a discussion of post-search issues. Questions addressed in the chapter include: 
When should investigators plan to search computers on the premises, and when should they remove the 
computer hardware and search it later off -site? How should investigators plan their searches to avoid 
civil liability under the Privacy Protection Act, 42 U.S.C. § 2000aa? How should prosecutors draft 
search warrant language so that it complies with the particularity requirement of the Fourth Amendment 
and Rule 41 of the Federal Rules of Criminal Procedure? What is the law governing when the 
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government must search and return seized computers? 

The focus of Chapter 3 is the stored communications portion of the Electronic Communications 
Privacy Act, 18 U.S.C. §§ 2701-11 (“ECPA”). ECPA governs how investigators can obtain stored 
account records and contents from network service providers, including Internet service providers 
(ISPs), telephone companies, cell phone service providers, and satellite services. ECPA issues arise 
often in cases involving the Internet: any time investigators seek stored information concerning Internet 
accounts from providers of Internet service, they must comply with the statute. Topics covered in this 
section include: How can the government obtain e-mails and network account logs from ISPs? When 
does the government need to obtain a search warrant, as opposed to 18 U.S.C. § 2703(d) order or a 
subpoena? When can providers disclose e-mails and records to the government voluntarily? What 
remedies will courts impose when ECPA has been violated? 

Chapter 4 reviews the legal framework that governs electronic surveillance, with particular 
emphasis on how the statutes apply to surveillance on the communications networks. In particular, the 
chapter discusses Title III as modified by the Electronic Communications Privacy Act, 18 U.S.C. §§ 

2510-22 (referred to here as “Title as well as the Pen Register and Trap and Trace Devices 
statute, 18 U.S.C. §§ 3121-27. These statutes govern when and how the government can conduct real- 
time surveillance, such as monitoring a computer hacker's activity as he breaks into a government 
computer network. Topics addressed in this chapter include: When can victims of computer crime 
monitor unauthorized intrusions into their networks and disclose that information to law enforcement? 
Can network “banners” generate implied consent to monitoring? How can the government obtain a pen 
register/trap and trace order that permits the government to collect packet header information from 
Internet communications? What remedies will courts impose when the electronic surveillance statutes 
have been violated? 

Of course, the issues discussed in Chapters 1 through 4 can overlap in actual cases. An 
investigation into computer hacking may begin with obtaining stored records from an ISP according to 
Chapter 3, move next to an electronic surveillance phase implicating Chapter 4, and then conclude with 
a search of the suspect's residence and a seizure of his computers according to Chapters 1 and 2. In 
other cases, agents and prosecutors must understand issues raised in multiple chapters not just in the 
same case, but at the same time. Eor example, an investigation into workplace misconduct by a 
government employee may implicate all of Chapters 1 through 4. Investigators may want to obtain the 
employee's e-mails from the government network server (implicating ECPA, discussed in Chapter 3); 
may wish to monitor the employee's use of the telephone or Internet in real-time (raising surveillance 
issues from Chapter 4); and at the same time, may need to search the employee's desktop computer in 
his office for clues of the misconduct (raising search and seizure issues from Chapters 1 and 2). 

Because the constitutional and statutory regimes can overlap in certain cases, agents and prosecutors 
will need to understand not only all of the legal issues covered in Chapters 1 through 4, but will also 
need to understand the precise nature of the information to be gathered in their particular cases. 

Chapters 1 through 4 are followed by a short Chapter 5, which discusses evidentiary issues that 
arise frequently in computer -related cases. The publication concludes with appendices that offer sample 
forms, language, and orders. 

Computer crime investigations raise many novel issues, and the courts have only begun to 
interpret how the Eourth Amendment and federal statutory laws apply to computer- related cases. 

Agents and prosecutors who need more detailed advice can rely on several resources for further 
assistance. At the federal district level, every U.S. Attorney’s Office has at least one Assistant U.S. 
Attorney who has been designated as a Computer and Telecommunications Coordinator (“CTC”). 
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Every CTC receives extensive training in computer -related crime, and is primarily responsible for 
providing expertise relating to the topics covered in this manual within his or her district. CTCs may be 
reached in their district offices. Further, several sections within the Criminal Division of the U.S. 
Department of Justice in Washington, D.C., have expertise in computer- related fields. The Office of 
International Affairs ((202) 514-0000) provides expertise in the many computer crime investigations that 
raise international issues. The Office of Enforcement Operations ((202) 514-6809) provides expertise in 
the wiretapping laws and other privacy statutes discussed in Chapters 3 and 4. Also, the Child 
Exploitation and Obscenity Section ((202) 514-5780) provides expertise in computer -related cases 
involving child pornography and child exploitation. 

Finally, agents and prosecutors are always welcome to contact the Computer Crime and 
Intellectual Property Section (“CCIPS”) directly both for general advice and specific case-related 
assistance. During regular business hours, at least two CCIPS attorneys are on duty to answer questions 
and provide assistance to agents and prosecutors on the topics covered in this document, as well as other 
matters that arise in computer crime cases. The main number for CCIPS is (202) 514-1026. 



I. SEARCHING AND SEIZING COMPUTERS WITHOUT A WARRANT 



A. Introduction 

The Fourth Amendment limits the ability of government agents to search for evidence without a 
warrant. This chapter explains the constitutional limits of warrantless searches in cases involving 
computers. 

The Fourth Amendment states: 

The right of the people to be secure in their persons, houses, papers, and effects, against 
unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but 
upon probable cause, supported by Oath or affirmation, and particularly describing the place 
to be searched, and the persons or things to be seized. 

According to the Supreme Court, a warrantless search does not violate the Fourth Amendment if 
one of two conditions is satisfied. First, if the government’s conduct does not violate a person’s 
“reasonable expectation of privacy,” then formally it does not constitute a Fourth Amendment “search” 
and no warrant is required. See Illinois v. Andreas . 463 U.S. 765, 771 (1983). Second, a warrantless 
search that violates a person’ s reasonable expectation of privacy will nonetheless be “reasonable” (and 
therefore constitutional) if it falls within an established exception to the warrant requirement. See 
Illinois V. Rodriguez . 497 U.S. 177, 183 (1990). Accordingly, investigators must consider two issues 
when asking whether a government search of a computer requires a warrant. First, does the search 
violate a reasonable expectation of privacy? And if so, is the search nonetheless reasonable because it 
falls within an exception to the warrant requirement? 



B. The Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers 



I. General Principles 
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A search is constitutional if it does not violate a person’s “reasonable” or “legitimate” expectation 
of privacy. Katz v. United States. 389 U.S. 347, 362 (1967) (Harlan, J., concurring). This inquiry 
embraces two discrete questions: first, whether the individual’s conduct reflects “an actual (subjective) 
expectation of privacy,” and second, whether the individual’s subjective expectation of privacy is “one 
that society is prepared to recognize as ‘reasonable. ’” Id at 361. In most cases, the difficulty of 
contesting a defendant’s subjective expectation of privacy focuses the analysis on the objective aspect of 
the Katz test, i.e., whether the individual’s expectation of privacy was reasonable. 

No bright line rule indicates whether an expectation of privacy is constitutionally reasonable. See 
O’Connor V. Ortega . 480 U.S. 709, 715 (1987). For example, the Supreme Court has held that a person 
has a reasonable expectation of privacy in property located inside a person’s home, see Payton v. New 
York . 445 U.S. 573, 589-90 (1980); in conversations taking place in an enclosed phone booth, see Katz. 
389 U.S. at 358; and in the contents of opaque containers, see United States v. Ross. 456 U.S. 798, 822- 
23 (1982). In contrast, a person does not have a reasonable expectation of privacy in activities 
conducted in open fields, see Oliver v. United States. 466 U.S. 170, 177 (1984); in garbage deposited at 
the outskirts of real property, see California v. Greenwood. 486 U.S. 35, 40-41 (1988); or in a stranger’s 
house that the person has entered without the owner’ s consent in order to commit a theft, see Rakas v. 
Illinois. 439 U.S. 128, 143 n.l2 (1978). 

2. Reasonable Expectation of Privacy in Computers as Storage Devices 

• To determine whether an individual has a reasonable expectation of privacy in information stored 
in a computer, it helps to treat the computer like a closed container such as a briefcase or file 
cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing 
information stored in a computer without a warrant if it would be prohibited from opening a 
closed container and examining its contents in the same situation. 

The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a 
reasonable expectation of privacy in electronic information stored within computers (or other electronic 
storage devices) under the individual’s control. For example, do individuals have a reasonable 
expectation of privacy in the contents of their laptop computers, floppy disks or pagers? If the answer is 
‘yes, ’ then the government ordinarily must obtain a warrant before it accesses the information stored 
inside. 

When confronted with this issue, courts have analogized electronic storage devices to closed 
containers, and have reasoned that accessing the information stored within an electronic storage device 
is akin to opening a closed container. Because individuals generally retain a reasonable expectation of 
privacy in the contents of closed containers, see United States v. Ross. 456 U.S. 798, 822-23 (1982), 
they also generally retain a reasonable expectation of privacy in data held within electronic storage 
devices. Accordingly, accessing information stored in a computer ordinarily will implicate the owner’s 
reasonable expectation of privacy in the information. See United States v. Barth. 26 F. Supp.2d 929, 
936-37 (W.D. Tex. 1998) (finding reasonable expectation of privacy in files stored on hard drive of 
personal computer); United States v. Reyes. 922 F. Supp. 818, 832-33 (S.D.N.Y. 1996) (finding 
reasonable expectation of privacy in data stored in a pager); United States v. Lynch. 908 F. Supp. 284, 
287 (D.V.I. 1995) tsamel: United States v. Chan. 830 F. Supp. 531, 535 (N.D. Cal. 1993) (same); 

United States v. Bias . 1990 WL 265179, at *21 (E.D. Wis. 1990) (“[A]n individual has the same 
expectation of privacy in a pager, computer, or other electronic data storage and retrieval device as in a 
closed container.”!. But see United States v. Carey. 172 F.3d 1268, 1275 (10th Cir. 1999) (dicta) 
(analogizing a computer hard drive to a file cabinet in the context of a search pursuant to a warrant, but 
then stating without explanation that “the file cabinet analogy may be inadequate”). 
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Although individuals generally retain a reasonable expectation of privacy in computers under their 
control, special circumstances may eliminate that expectation. For example, an individual will not retain 
a reasonable expectation of privacy in information from a computer that the person has made openly 
available. In United States v. David . 756 F. Supp. 1385 (D. Nev. 1991), agents looking over the 
defendant’s shoulder read the defendant’s password from the screen as the defendant typed his password 
into a handheld computer. The court found no Fourth Amendment violation in obtaining the password, 
because the defendant did not enjoy a reasonable expectation of privacy “in the display that appeared on 
the screen.” Id^ at 1389. See also Katz v. United States . 389 U.S. 347, 351 (1967) (“What a person 
knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment 
protection.”). Nor will individuals generally enjoy a reasonable expectation of privacy in the contents of 
computers they have stolen. See United States v. Lyons. 992 F.2d 1029, 1031-32 (10th Cir. 1993). 



3. Reasonable Expectation of Privacy and Third-Party Possession 

Individuals who retain a reasonable expectation of privacy in stored electronic information under 
their control may lose Fourth Amendment protections when they relinquish that control to third parties. 
For example, an individual may offer a container of electronic information to a third party by bringing a 
malfunctioning computer to a repair shop, or by shipping a floppy diskette in the mail to a friend. 
Alternatively, a user may transmit information to third parties electronically, such as by sending data 
across the Internet. When law enforcement agents learn of information possessed by third parties that 
may provide evidence of a crime, they may wish to inspect it. Whether the Fourth Amendment requires 
them to obtain a warrant before examining the information depends first upon whether the third-party 
possession has eliminated the individual’s reasonable expectation of privacy. 

To analyze third-party possession issues, it helps first to distinguish between possession by a 
carrier in the course of transmission to an intended recipient, and subsequent possession by the intended 
recipient. For example, if A hires B to carry a package to C, A’s reasonable expectation of privacy in 
the contents of the package during the time that B carries the package on its way to C may be different 
than A’s reasonable expectation of privacy after C has received the package. During transmission, 
contents generally retain Fourth Amendment protection. The government ordinarily may not examine 
the contents of a package in the course of transmission without a warrant. Government intrusion and 
examination of the contents ordinarily violates the reasonable expectation of privacy of both the sender 
and receiver. See United States v. Villarreal . 963 F.2d 770, 774 (5th Cir. 1992); but see United States v. 
Walker . 20 F. Supp.2d 971, 973-74 (S.D.W. Va. 1998) (concluding that packages sent to an alias in 
furtherance of a criminal scheme do not support a reasonable expectation of privacy). This rule applies 
regardless of whether the carrier is owned by the government or a private company. Compare Ex Parte 
.lackson . 96 U.S. (6 Otto) 727, 733 (1877) (public carrier) with Walter v. United States. 447 U.S. 649, 
651 (1980) (private carrier). 

A government “search” of an intangible electronic signal in the course of transmission may also 
implicate the Fourth Amendment. See Berger v. New York. 388 U.S. 41, 58-60 (1967) (applying the 
Fourth Amendment to a wire communication in the context of a wiretap). The boundaries of the Fourth 
Amendment in such cases remain hazy, however, because Congress addressed the Fourth Amendment 
concerns identified in Berger by passing Title III of the Omnibus Crime Control and Safe Streets Act of 
1968 (“Title III”), 18 U.S.C. §§ 2510-22. Title III, which is discussed fully in Chapter 4, provides a 
comprehensive statutory framework that regulates real-time monitoring of wire and electronic 
communications. Its scope encompasses, and in many significant ways exceeds, the protection offered 
by the Fourth Amendment. See United States v. Torres. 751 F.2d 875, 884 (7th Cir. 1985). As a 
practical matter, then, the monitoring of wire and electronic communications in the course of 
transmission generally raises many statutory questions, but few constitutional ones. See generally 
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Chapter 4. 

• Individuals may lose Fourth Amendment protection in their computer files if they lose control of 

the files. 

Once an item has been received by the intended recipient, the sender’s reasonable expectation of 
privacy generally depends upon whether the sender can reasonably expect to retain control over the item 
and its contents. When a person leaves a package with a third party for temporary safekeeping, for 
example, he usually retains control of the package, and thus retains a reasonable expectation of privacy 
in its contents. See , e.g. . United States v. Most . 876 F.2d 191, 197-98 (D.C. Cir. 1989) (finding 
reasonable expectation of privacy in contents of plastic bag left with grocery store clerk); United States 
V. Barry . 853 F.2d 1479, 1481-83 (8th Cir. 1988) (finding reasonable expectation of privacy in locked 
suitcase stored at airport baggage counter); United States v. Presler. 610 F.2d 1206, 1213-14 (4th Cir. 
1979) (finding reasonable expectation of privacy in locked briefcases stored with defendant’s friend for 
safekeeping). See also United States v. Barth. 26 F. Supp.2d 929, 936-37 (W.D. Tex. 1998) (holding that 
defendant retains a reasonable expectation of privacy in computer files contained in hard drive left with 
computer technician for limited purpose of repairing computer). 

If the sender cannot reasonably expect to retain control over the item in the third party’s 
possession, however, the sender no longer retains a reasonable expectation of privacy in its contents. 

For example, in United States v. Horowitz. 806 F.2d 1222 (4th Cir. 1986), the defendant e-mailed 
confidential pricing information relating to his employer to his employer’ s competitor. After the FBI 
searched the competitor’s computers and found the pricing information, the defendant claimed that the 
search violated his Fourth Amendment rights. The Fourth Circuit disagreed, holding that the defendant 
relinquished his interest in and control over the information by sending it to the competitor for the 
competitor’s future use. See id. at 1225-26. See also United States v. Charbonneau. 979 F. Supp. 1177, 
1184 (S.D. Ohio 1997) (holding that defendant does not retain reasonable expectation of privacy in 
contents of e-mail message sent to America Online chat room after the message has been received by 
chat room participants) (citing Hoffa v. United States. 385 U.S. 293, 302 (1966)). In some cases, the 
sender may initially retain a right to control the third party’ s possession, but may lose that right over 
time. The general rule is that the sender’s Fourth Amendment rights dissipate along with the sender’s 
right to control the third party’s possession. For example, in United States v. Poulsen. 41 F.3d 1330 (9th 
Cir. 1994), computer hacker Kevin Poulsen left computer tapes in a locker at a commercial storage 
facility but neglected to pay rent for the locker. Following a warrantless search of the facility, the 
government sought to use the tapes against Poulsen. The Ninth Circuit held that the search did not 
violate Poulsen’ s reasonable expectation of privacy because under state law Poulsen ’s failure to pay rent 
extinguished his right to access the tapes. See id. at 1337. 

An important line of Supreme Court cases states that individuals generally cannot reasonably 
expect to retain control over mere information revealed to third parties, even if the senders have a 
subjective expectation that the third parties will keep the information confidential. For example, in 
United States v. Miller . 425 U.S. 435, 443 (1976), the Court held that the Fourth Amendment does not 
protect bank account information that account holders divulge to their banks. By placing information 
under the control of a third party, the Court stated, an account holder assumes the risk that the 
information will be conveyed to the government. Id^ According to the Court, “the Fourth Amendment 
does not prohibit the obtaining of information revealed to a third party and conveyed by him to 
Government authorities, even if the information is revealed on the assumption that it will be used only 
for a limited purpose and the confidence placed in the third party will not be betrayed.” Id^ (citing Hoffa 
V. United States . 385 U.S. 293, 302 (1966)). See also Smith v. Maryland. 442 U.S. 735, 743-44 (1979) 
(finding no reasonable expectation of privacy in phone numbers dialed by owner of a telephone because 
act of dialing the number effectively tells the number to the phone company); Couch v. United States. 
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409 U.S. 322, 335 (1973) (holding that government may subpoena accountant for client information 
given to accountant by client, because client retains no reasonable expectation of privacy in information 
given to accountant). 

Because computer data is “information,” this line of cases suggests that individuals who send data 
over communications networks may lose Fourth Amendment protection in the data once it reaches the 
intended recipient. See United States v. Meriwether. 917 F.2d 955, 959 (6th Cir. 1990) (suggesting that 
an electronic message sent via a pager is “information” under the Smith/Mi11er l ine of cases); 
Charbonneau. 979 F. Supp. at 1184 (“[A]n e-mail message . . . cannot be afforded a reasonable 
expectation of privacy once that message is received.”). But see C. Ryan Reetz, Note, Warrant 
Requirement for Searches of Computerized Information, 61 B.U. L. Rev. 179, 200-06 (1987) (arguing 
that certain kinds of remotely stored computer files should retain Fourth Amendment protection, and 
attempting to distinguish United States v. Miller and Smith v. Marylandl . Of course, the absence of 
constitutional protections does not necessarily mean that the government can access the data without a 
warrant or court order. Statutory protections exist that generally protect the privacy of electronic 
communications stored remotely with service providers, and can protect the privacy of Internet users 
when the Fourth Amendment may not. See 18 U.S.C. §§ 2701- 1 1 (discussed in Chapter 3, infra). 

Defendants will occasionally raise a Fourth Amendment challenge to the acquisition of account 
records and subscriber information held by Internet service providers using less process than a full 
search warrant. As discussed in a later chapter, the Electronic Communications Privacy Act permits the 
government to obtain transactional records with an “articulable facts” court order, and basic subscriber 
information with a subpoena. See 18 U.S.C. §§ 2701-11 (discussed in Chapter 3, infral . These statutory 
procedures comply with the Fourth Amendment because customers of Internet service providers do not 
have a reasonable expectation of privacy in customer account records maintained by and for the 
provider’s business. See United States v. Hambrick . 55 F. Supp. 2d 504, 508 (W.D. Va. 1999), aff’d. 

225 F.3d 656, 2000 WL 1062039 (4th Cir. 2000) (unpublished opinion) (finding no Fourth Amendment 
protection for network account holder’s basic subscriber information obtained from Internet service 
provider); United States v. Kennedy. 81 F. Supp. 2d 1103, 1110) (D. Kan. 2000) (same). This rule 
accords with prior cases considering the scope of Fourth Amendment protection in customer account 
records. See , e.g .. United States v. Fregoso. 60 F.3d 1314, 1321 (8th Cir. 1995) (holding that a 
telephone company customer has no reasonable expectation of privacy in account information disclosed 
to the telephone company); In re Grand .lury Proceedings. 827 F.2d 301, 302-03 (8th Cir. 1987) (holding 
that customer account records maintained and held by Western Union are not entitled to Fourth 
Amendment protection). 



4. Private Searches 

• The Fourth Amendment does not apply to searches conducted by private parties who are not 
acting as agents of the government. 

The Fourth Amendment “is wholly inapplicable to a search or seizure, even an unreasonable one, 
effected by a private individual not acting as an agent of the Government or with the participation or 
knowledge of any governmental official.” United States v. .lacobsen. 466 U.S. 109, 113 (1984). As a 
result, no violation of the Fourth Amendment occurs when a private individual acting on his own accord 
conducts a search and makes the results available to law enforcement. See id. For example, in United 
States V. Hall. 142 F.3d 988 (7th Cir. 1998), the defendant took his computer to a private computer 
specialist for repairs. In the course of evaluating the defendant’s computer, the repairman observed that 
many files stored on the computer had filenames characteristic of child pornography. The repairman 
accessed the files, saw that they did in fact contain child pornography, and then contacted the state 
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police. The tip led to a warrant, the defendant’s arrest, and his conviction for child pornography 
offenses. On appeal, the Seventh Circuit rejected the defendant’s claim that the repairman’s warrantless 
search through the computer violated the Fourth Amendment. Because the repairman’ s search was 
conducted on his own, the court held, the Fourth Amendment did not apply to the search or his later 
description of the evidence to the state police. See id. at 993. See also United States v. Kennedy. 81 F. 
Supp.2d 1103, 1112 (D. Kan. 2000) (concluding that searches of defendant’s computer over the Internet 
by an anonymous caller and employees of a private ISP did not violate Fourth Amendment because 
there was no evidence that the government was involved in the search). 

In United States v. .lacobsen. 466 U.S. 109 (1984), the Supreme Court presented the framework 
that should guide agents seeking to uncover evidence as a result of a private search. According to 
Jacobsen, agents who learn of evidence via a private search can reenact the original private search 
without violating any reasonable expectation of privacy. What the agents cannot do without a warrant is 
“exceed[] the scope of the private search.” Id^ at 115. See also United States v. Miller . 152 F.3d 813, 
815-16 (8th Cir. 19981: United States v. Donnes. 947 F.2d 1430, 1434 (10th Cir. 1991). But see United 
States V. Allen . 106 F.3d 695, 699 (6th Cir. 1999) (dicta) (stating that Jacobsen does not permit law 
enforcement to reenact a private search of a private home or residence). This standard requires agents to 
limit their investigation to the precise scope of the private search when searching without a warrant after 
a private search has occurred. So long as the agents limit themselves to the scope of the private search, 
the agents’ search will not violate the Fourth Amendment. However, as soon as agents exceed the scope 
of the private warrantless search, any evidence uncovered may be suppressed. See United States v. 
Barth. 26 F. Supp.2d 929, 937 (W.D. Tex. 1998) (suppressing evidence of child pornography found on 
computer hard drive after agents viewed more files than private technician had initially viewed during 
repair of defendant’s computer). In computer cases, this aspect of Jacobsen means that private searches 
will often be useful partly as opportunities to provide the probable cause needed to obtain a warrant for a 
further search. The fact that a private person has uncovered evidence of a crime on another person’s 
computer does not permit agents to search the entire computer. Instead, the private search permits the 
agents to view the evidence that the private search revealed, and, if necessary, to use that evidence as a 
basis for procuring a warrant to search the rest of the computer .- 

Although most private search issues arise when private third parties intentionally examine property 
and offer evidence of a crime to law enforcement, the same framework applies when third parties 
inadvertently expose evidence of a crime to plain view. For example, in United States v. Procopio . 88 
F.3d 21 (1st Cir. 1996), a defendant stored incriminating files in his brother’s safe. Later, thieves stole 
the safe, opened it, and abandoned it in a public park. Police investigating the theft of the safe found the 
files scattered on the ground nearby, gathered them, and then used them against the defendant in an 
unrelated case. The First Circuit held that the use of the files did not violate the Fourth Amendment, 
because the files were made openly available by the thieves’ private search. See id. at 26-27 (citing 
Jacobsen. 466 U.S. at 113). 

Importantly, the fact that the person conducting a search is not a government employee does not 
necessarily mean that the search is “private” for Fourth Amendment purposes. A search by a private 
party will be considered a Fourth Amendment government search “if the private party act[s] as an 
instrument or agent of the Government.” Skinner v. Railway Labor Executives’ Ass’n . 489 U.S. 602, 

614 (1989). The Supreme Court has offered little guidance on when private conduct can be attributed to 
the government; the Court has merely stated that this question “necessarily turns on the degree of the 
Government’s participation in the private party’s activities, ... a question that can only be resolved ‘in 
light of all the circumstances.’” Id at 614-15 (quoting Coolidge v. New Hampshire. 403 U.S. 443, 487 
(1971)). In the absence of a more definitive standard, the various federal Courts of Appeals have 
adopted a range of approaches for distinguishing between private and government searches. About half 
of the circuits apply a ‘totality of the circumstances’ approach that examines three factors: whether the 
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government knows of or acquiesces in the intrusive conduct; whether the party performing the search 
intends to assist law enforcement efforts at the time of the search; and whether the government 
affirmatively encourages, initiates or instigates the private action. See, e.g.. United States v. Pervaz. 118 
F.3d 1, 6 (1st Cir. 19971: United States v. Smythe. 84 F.3d 1240, 1242-43 (10th Cir. 1996); United 
States V. McAllister. 18 F.3d 1412, 1417-18 (7th Cir. 1994); United States v. Malbrough . 922 F.2d 458, 
462 (8th Cir. 1990). Other circuits have adopted more rule -like formulations that focus on only two of 
these factors. See, e.g.. United States v. Miller. 688 F.2d 652, 657 (9th Cir. 1982) (holding that private 
action counts as government conduct if, at the time of the search, the government knew of or acquiesced 
in the intrusive conduct, and the party performing the search intended to assist law enforcement efforts); 
United States v. Paige. 136 F.3d 1012, 1017 (5th Cir. 1998) (same); United States v. Lambert. 771 F.2d 
83, 89 (6th Cir. 1985) (holding that a private individual is a state actor for Fourth Amendment purposes 
if the police instigated, encouraged or participated in the search, and the individual engaged in the search 
with the intent of assisting the police in their investigative efforts). 



C. Exceptions to the Warrant Requirement in Cases Involving Computers 

Warrantless searches that violate a reasonable expectation of privacy will comply with the Fourth 
Amendment if they fall within an established exception to the warrant requirement. Cases involving 
computers often raise questions relating to how these “established” exceptions apply to new 
technologies. 



1. Consent 

Agents may search a place or object without a warrant or even probable cause if a person with 
authority has voluntarily consented to the search. See Schneckloth v. Bustamonte. 412 U.S. 218, 219 
(1973). This consent may be explicit or implicit. See United States v. Mihan-Rodriguez. 759 F.2d 
1558, 1563-64 (1 1th Cir. 1985). Whether consent was voluntarily given is a question of fact that the 
court must decide by considering the totality of the circumstances. While no single aspect controls the 
result, the Supreme Court has identified the following important factors: the age, education, intelligence, 
physical and mental condition of the person giving consent; whether the person was under arrest; and 
whether the person had been advised of his right to refuse consent. See Schneckloth. 412 U.S. at 226. 
The government carries the burden of proving that consent was voluntary. See United States v. Price. 
599 F.2d 494, 503 (2d Cir. 1979). 

In computer crime cases, two consent issues arise particularly often. First, when does a search 
exceed the scope of consent? For example, when a target consents to the search of a machine, to what 
extent does the consent authorize the retrieval of information stored in the machine? Second, who is the 

proper party to consent to a search? Do roommates, friends, and parents have the authority to consent to 

-1 

a search of another person’s computer files ?- 



a) Scope of Consent 

“The scope of a consent to search is generally defined by its expressed object, and is limited by the 
breadth of the consent given.” United States v. Pena. 143 F.3d 1363, 1368 (10th Cir. 1998). The 
standard for measuring the scope of consent under the Fourth Amendment is objective reasonableness: 
“What would the typical reasonable person have understood by the exchange between the [agent] and 
the [person granting consent]?” Florida v. .limeno. 500 U.S. 248, 251 (1991). This requires a fact- 
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intensive inquiry into whether it was reasonable for the agent to believe that the scope of consent 
included the items searched. Id. Of course, when the limits of the consent are clearly given, either 
before or during the search, agents must respect these bounds. See Vaughn v. Baldwin. 950 F.2d 331, 

333 (6th Cir. 1991). 

• The permitted scope of consent searches depends on the facts of each case. 

Computer cases often raise the question of whether consent to search a location or item implicitly 
includes consent to access the memory of electronic storage devices encountered during the search. In 
such cases, courts look to whether the particular circumstances of the agents’ request for consent 
implicitly or explicitly limited the scope of the search to a particular type, scope, or duration. Because 
this approach ultimately relies on fact-driven notions of common sense, results reached in published 
opinions have hinged upon subtle (if not entirely inscrutable) distinctions. Compare United States v. 
Reyes . 922 F. Supp. 818, 834 (S.D.N.Y. 1996) (holding that consent to “look inside” a car included 
consent to retrieve numbers stored inside pagers found in car’s back seat) with United States v. Bias. 
1990 WL 265179, at *20 (E.D. Wis. 1990) (holding that consent to “look at” a pager did not include 
consent to activate pager and retrieve numbers, because looking at pager could be construed to mean 
“what the device is, or how small it is, or what brand of pager it may be”). See alsoUnited States v. 
Carey . 172 F.3d 1268, 1274 (10th Cir. 1999) (reading written consent form extremely narrowly, so that 
consent to seizure of “any property” under the defendant’s control and to “a complete search of the 
premises and property” at the defendant’s address merely permitted the agents to seize the defendant’s 
computer from his apartment, but did not permit them to search the computer off- site because it was no 
longer located at the defendant’s address). Prosecutors can strengthen their argument that the scope of 
consent included consent to search electronic storage devices by relying on analogous cases involving 
closed containers. See , e.g. . United States v. Galante . 1995 WL 507249, at *3 (S.D.N.Y. 1995) (holding 
that general consent to search car included consent to have officer access memory of cellular telephone 
found in the car, relying on circuit precedent involving closed containers); Reyes. 922 F. Supp. at 834. 

Agents should be especially careful about relying on consent as the basis for a search of a 
computer when they obtain consent for one reason but then wish to conduct a search for another reason. 
In two recent cases, the Courts of Appeals suppressed images of child pornography found on computers 
after agents procured the defendant’s consent to search his property for other evidence. In United States 
V. Turner . 169 F.3d 84 (1st Cir. 1999), detectives searching for physical evidence of an attempted sexual 
assault obtained written consent from the victim’s neighbor to search the neighbor’s “premises” and 
“personal property.” Before the neighbor signed the consent form, the detectives discovered a large 
knife and blood stains in his apartment, and explained to him that they were looking for more evidence 
of the assault that the suspect might have left behind. See id. at 86. While several agents searched for 
physical evidence, one detective searched the contents of the neighbor’s personal computer and 
discovered stored images of child pornography. The neighbor was charged with possessing child 
pornography. On interlocutory appeal, the First Circuit held that the search of the computer exceeded 
the scope of consent and suppressed the evidence. According to the Court, the detectives’ statements 
that they were looking for signs of the assault limited the scope of consent to the kind of physical 
evidence that an intruder might have left behind. See id. at 88. By transforming the search for physical 
evidence into a search for computer files, the detective had exceeded the scope of consent. See id. See 
alsoCarey . 172 F.3d at 1277 (Baldock, J., concurring) (concluding that agents exceeded scope of consent 
by searching computer after defendant signed broadly -worded written consent form, because agents told 
defendant 

that they were looking for drugs and drug-related items rather than computer files containing child 
pornography) (citing Turner! . 

• It is a good practice for agents to use written consent forms that state explicitly that the scope of 
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consent includes consent to search computers and other electronic storage devices. 

Because the decisions evaluating the scope of consent to search computers have reached 
sometimes unpredictable results, investigators should indicate the scope of the search explicitly when 
obtaining a suspect’s consent to search a computer. 



b) Third-Party Consent 

i) General Rules 

It is common for several people to use or own the same computer equipment. If any one of those 
people gives permission to search for data, agents may generally rely on that consent, so long as the 
person has authority over the computer. In such cases, all users have assumed the risk that a co-user 
might discover everything in the computer, and might also permit law enforcement to search this 
“common area” as well. 

The watershed case in this area is United States v. Matlock . 415 U.S. 164 (1974). In Matlock, the 
Supreme Court stated that one who has “common authority” over premises or effects may consent to a 
search even if an absent co-user objects. Id at 171. According to the Court, the common authority that 
establishes the right of third-party consent requires 

mutual use of the property by persons generally having joint access or control for most 
purposes, so that it is reasonable to recognize that any of the co -inhabitants has the right to 
permit the inspection in his own right and that the others have assumed the risk that one of 
their number might permit the common area to be searched. 

Id at 171 n.7. 

Under the Matlock approach, a private third party may consent to a search of property under the 
third party’s joint access or control. Agents may view what the third party may see without violating 
any reasonable expectation of privacy so long as they limit the search to the zone of the consenting third 
party’s common authority. See United States v. .lacobsen. 466 U.S. 109, 119 (1984) (noting that the 
Fourth Amendment is not violated when a private third party invites the government to view the 
contents of a package under the third party’ s control). This rule often requires agents to inquire into 
third parties ’s rights of access before conducting a consent search, and to draw lines between those areas 
that fall within the third party’s common authority and those areas outside of the third party’s control. 
See United States v. BlocL 590 F.2d 535, 541 (4th Cir. 1978) (holding that a mother could consent to a 
general search of her 23 -year-old son’s room, but could not consent to a search of a locked footlocker 
found in the room). Because the joint access test does not require a unity of interests between the 
suspect and the third party, however, Matlock permits third-party consent even when the target of the 
search is present and refuses to consent to the search. See United States v. Sumlin. 567 F.2d 684, 687 
(6th Cir. 1977) (holding that woman had authority to consent to search of apartment she shared with her 
boyfriend even though boyfriend refused consent). 

Courts have not squarely addressed whether a suspect’ s decision to password- protect or encrypt 
files stored in a jointly-used computer denies co-users the right to consent to a search of the files under 
Matlock . However, it appears likely that encryption and pas sword -protection would in most cases 
indicate the absence of common authority to consent to a search among co-users who do not know the 
password or possess the encryption key. Compare United States v. Smith. 27 F. Supp.2d 1111, 1115-16 
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(C.D. 111. 1998) (concluding that a woman could consent to a search of her boyfriend’s computer located 
in their house, and noting that the boyfriend had not password -protected his files) with Block, 590 F.2d 
at 541 (concluding that a mother could not consent to search of a locked footlocker in her son’s room 
where she did not possess the key). Conversely, if the co-user has been given the password or 
encryption key by the suspect, then she probably has the requisite common authority to consent to a 
search of the files under Matlock . See United States v. Murphy . 506 F.2d 529, 530 (9th Cir. 1974) (per 
curiam) (concluding that an employee could consent to a search of an employer’s locked warehouse 
because the employee possessed the key, and finding “special significance” in the fact that the employer 
had himself delivered the key to the employee). 

As a practical matter, agents may have little way of knowing the precise bounds of a third party’s 
common authority when the agents obtain third-party consent to conduct a search. When queried, 
consenting third parties may falsely claim that they have common authority over property. In Illinois v. 
Rodriguez . 497 U.S. 177 (1990), the Supreme Court held that the Fourth Amendment does not 
automatically require suppression of evidence discovered during a consent search when it later comes to 
light that the third party who consented to the search lacked the authority to do so. See id. at 188-89. 
Instead, the Court held that agents can rely on a claim of authority to consent if based on “the facts 
available to the officer at the moment, ... a man of reasonable caution . . . [would believe] that the 
consenting party had authority” to consent to a search of the premises. Id^ (internal quotations omitted) 
(quoting Terry v. Ohio. 392 U.S. 1, 21-22 (1968)). When agents reasonably rely on apparent authority 
to consent, the resulting search does not violate the Fourth Amendment. 



ii) Spouses and Domestic Partners 

• Most spousal consent searches are valid. 

Absent an affirmative showing that the consenting spouse has no access to the property searched, 
the courts generally hold that either spouse may consent to search all of the couple’s property. See, e.g.. 
United States v. Duran. 957 F.2d 499, 504-05 (7th Cir. 1992) (concluding that wife could consent to 
search of barn she did not use because husband had not denied her the right to enter bam); United States 
V. Long . 524 F.2d 660, 661 (9th Cir. 1975) (holding that wife who had left her husband could consent to 
search of jointly -owned home even though husband had changed the locks). For example, in United 
States V. Smith . 27 F. Supp.2d 1111 (C.D. 111. 1998), a man named Smith was living with a woman 
named Ushman and her two daughters. When allegations of child molestation were raised against 
Smith, Ushman consented to the search of his computer, which was located in the house in an alcove 
connected to the master bedroom. Although Ushman used Smith’s computer only rarely, the district 
court held that she could consent to the search of Smith’s computer. Because Ushman was not 
prohibited from entering the alcove and Smith had not password-protected the computer, the court 
reasoned, she had authority to consent to the search. See id. at 1115-16. Even if she lacked actual 
authority to consent, the court added, she had apparent authority to consent. See id. at 1116 (citing 
Illinois V. Rodriguezl . 



Hi) Parents 

• Parents can consent to searches of their children’s rooms when the children are under 18 years 
old. If the children are 18 or older, the parents may or may not be able to consent, depending on 
the facts. 
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In some computer crime cases, the perpetrators are relatively young and reside with their parents. 
When the perpetrator is a minor, parental consent to search the perpetrator’ s property and living space 
will almost always be valid. See 3 W. LaFave, Search and Seizure: A Treatise on the Fourth 
Amendment § 8.4(b) at 283 (2d ed. 1987) (noting that courts have rejected “even rather extraordinary 
efforts by [minor] child[ren] to establish exclusive use.”). 

When the sons and daughters who reside with their parents are legal adults, however, the issue is 
more complicated. Under Matlock, it is clear that parents may consent to a search of common areas in 
the family home regardless of the perpetrator’s age. See, e.g.. United States v. Lavin. 1992 WL 373486, 
at *6 (S.D.N.Y. 1992) (recognizing right of parents to consent to search of basement room where son 
kept his computer and files). When agents would like to search an adult child’ s room or other private 
areas, however, agents cannot assume that the adult’s parents have authority to consent. Although 
courts have offered divergent approaches, they have paid particular attention to three factors: the 
suspect’s age; whether the suspect pays rent; and whether the suspect has taken affirmative steps to deny 
his or her parents access to the suspect’s room or private area. When suspects are older, pay rent, 
and/or deny access to parents, courts have generally held that parents may not consent. See United 
States V. Whitfield . 939 F.2d 1071, 1075 (D.C. Cir. 1991) (holding “cursory questioning” of suspect’s 
mother insufficient to establish right to consent to search of 29 -year-old son’s room); United States v. 
Durham . 1998 WL 684241, at *4 (D. Kan. 1998) (mother had neither apparent nor actual authority to 
consent to search of 24-year-old son’s room, because son had changed the locks to the room without 
telling his mother, and son also paid rent for the room). In contrast, parents usually may consent if their 
adult children do not pay rent, are fairly young, and have taken no steps to deny their parents access to 
the space to be searched. See United States v. Rith. 164 F.3d 1323, 1331 (10th Cir. 1999) (suggesting 
that parents are presumed to have authority to consent to a search of their 18 -year-old son’s room 
because he did not pay rent); United States v. Block. 590 F.2d 535, 541 (4th Cir. 1978) (mother could 
consent to police search of 23 -year-old son’s room when son did not pay rent). 



iv) System Administrators 

Every computer network is managed by a “system administrator” or “system operator” whose job 
is to keep the network running smoothly, monitor security, and repair the network when problems arise. 
System operators have “root level” access to the systems they administer, which effectively grants them 
master keys to open any account and read any file on their systems. When investigators suspect that a 
network account contains relevant evidence, they may feel inclined to seek the system administrator’s 
consent to search the contents of that account. 

As a practical matter, the primary barrier to searching a network account pursuant to a system 
administrator’ s consent is statutory, not constitutional. System administrators typically serve as agents 
of “provider[s] of electronic communication service” under the Electronic Communications Privacy Act 
(“ECPA”), 18 U.S.C. §§ 2701-11. ECPA regulates law enforcement efforts to obtain the consent of a 
system administrator to search an individual’s account. See 18 U.S.C. § 2702-03. Accordingly, any 
attempt to obtain a system administrator’ s consent to search an account must comply with ECPA. See 
generally Chapter 3, “The Electronic Communications Privacy Act,” infra . 

To the extent that ECPA authorizes system administrators to consent to searches, the resulting 
consent searches will in most cases comply with the Eourth Amendment. The first reason is that 
individuals may not retain a reasonable expectation of privacy in the remotely stored files and records 
that their network accounts contain. See generally Reasonable Expectation of Privacy and Third Party 
Possession, supra . If an individual does not retain a constitutionally reasonable expectation of privacy 
in his remotely stored files, it will not matter whether the system administrator has the necessary joint 
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control over the account needed to satisfy the Matlock test because a subsequent search will not violate 
the Fourth Amendment. 

In the event that a court holds that an individual does possess a reasonable expectation of privacy 
in remotely stored account files, whether a system administrator’ s consent would satisfy Matlock should 
depend on the circumstances. Clearly, the system administrator’s access to all network files does not by 
itself provide the common authority that triggers authority to consent. In the pre - Matlock case of Stoner 
V. California . 376 U.S. 483 (1964), the Supreme Court held that a hotel clerk lacked the authority to 
consent to the search of a hotel room. Although the clerk was permitted to enter the room to perform his 
duties, and the guest had left his room key with the clerk, the Court concluded that the clerk could not 
consent to the search. If the hotel guest’s protection from unreasonable searches and seizures “were left 
to depend on the unfettered discretion of an employee of the hotel,” Justice Stewart reasoned, it would 
“disappear.” Id. at 490. See also Chapman v. United States. 365 U.S. 610 (1961) (holding that a 
landlord lacks authority to consent to search of premises used by tenant); United States v. Most. 876 
F.2d 191, 199-200 (D.C. Cir. 1989) (holding that store clerk lacks authority to consent to search of 
packages left with clerk for safekeeping). To the extent that the access of a system operator to a network 
account is analogous to the access of a hotel clerk to a hotel room, the claim that a system operator may 
consent to a search of Fourth Amendment -protected files is weak. Cf. Barth. 26 F. Supp.2d at 938 
(holding that computer repairman’s right to access files for limited purpose of repairing computer did 
not create authority to consent to government search through files). 

Of course, the hotel clerk analogy may be inadequate in some circumstances. For example, an 
employee generally does not have the same relationship with the system administrator of his company’ s 
network as a customer of a private ISP such as AOL might have with the ISP’s system administrator. 

The company may grant the system administrator of the company network full rights to access employee 
accounts for any work -related reason, and the employees may know that the system administrator has 
such access. In circumstances such as this, the system administrator would likely have sufficient 
common authority over the accounts to be able to consent to a search. See generally Note, Keeping 
Secrets in Cyberspace: Establishing Fourth Amendment Protection for Internet Communication , 110 
Harv. L. Rev. 1591, 1602-03 (1997). See also United States v. Clarke. 2 F.3d 81, 85 (4th Cir. 1993) 
(holding that a drug courier hired to transport the defendant’s locked toolbox containing drugs had 
common authority under Matlock to consent to a search of the toolbox stored in the courier’s trunk). 
Further, in the case of a government network, the Fourth Amendment rules would likely differ 
dramatically from the rules that apply to private networks. See generally O’Connor v. Ortega. 480 U.S. 
709 (1987) (explaining how the Fourth Amendment applies within government workplaces) (discussed 
infra). 



c) Implied Consent 

Individuals often enter into agreements with the government in which they waive some of their 
Fourth Amendment rights. For example, prison guards may agree to be searched for drugs as a 
condition of employment, and visitors to government buildings may agree to a limited search of their 
person and property as a condition of entrance. Similarly, users of computer systems may waive their 
rights to privacy as a condition of using the systems. When individuals who have waived their rights are 
then searched and challenge the searches on Fourth Amendment grounds, courts typically focus on 
whether the waiver eliminated the individual’s reasonable expectation of privacy against the search. 

See , e.g. . American Postal Workers Union. Columbus Area Local AFL-CIO v. United States Postal 
Service . 871 F.2d 556, 56-61 (6th Cir. 1989) (holding that postal employees retained no reasonable 
expectation of privacy in government lockers after signing waivers). 
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A few courts have approached the same problem from a slightly different direction and have asked 
whether the waiver established implied consent to the search. According to the doctrine of implied 
consent, consent to a search may be inferred from an individual’s conduct. For example, in United 
States V. Ellis . 547 F.2d 863 (5th Cir. 1977), a civilian visiting a naval air station agreed to post a 
visitor’s pass on the windshield of his car as a condition of bringing the car on the base. The pass stated 
that “[ajcceptance of this pass gives your consent to search this vehicle while entering, aboard, or 
leaving this station.” Id^ at 865 n.l. During the visitor’s stay on the base, a station investigator who 
suspected that the visitor had stored marijuana in the car approached the visitor and asked him if he had 
read the pass. After the visitor admitted that he had, the investigator searched the car and found 20 
plastic bags containing marijuana. The Fifth Circuit ruled that the warrantless search of the car was 
permissible, because the visitor had impliedly consented to the search when he knowingly and 
voluntarily entered the base with full knowledge of the terms of the visitor’s pass. See id. at 866-67. 

Ellis notwithstanding, it must be noted that several circuits have been critical of the implied 
consent doctrine in the Fourth Amendment context. Despite the Fifth Circuit’s broad construction, other 
courts have proven reluctant to apply the doctrine absent evidence that the suspect actually knew of the 
search and voluntarily consented to it at the time the search occurred. See McCann v. Northeast Illinois 
Regional Commuter R.R. Corp.. 8 F.3d 1174, 1179 (7th Cir. 1993) (“Courts confronted with claims of 
implied consent have been reluctant to uphold a warrantless search based simply on actions taken in the 
light of a posted notice.”); Securities and Law Enforcement Employees. District Council 82 v. Carey. 
737 E.2d 187, 202 n.23 (2d Cir. 1984) (rejecting argument that prison guards impliedly consented to 
search by accepting employment at prison where consent to search was a condition of employment). 
Absent such evidence, these courts have preferred to examine general waivers of Eourth Amendment 
rights solely under the reasonable-expectation -of-privacy test. See id. 



2. Exigent Circumstances 

Under the “exigent circumstances” exception to the warrant requirement, agents can search 
without a warrant if the circumstances “would cause a reasonable person to believe that entry . . . was 
necessary to prevent physical harm to the officers or other persons, the destruction of relevant evidence, 
the escape of the suspect, or some other consequence improperly frustrating legitimate law enforcement 
efforts.” See United States v. Alfonso. 759 E.2d 728. 742 t9th Cir. 1985). In determining whether 
exigent circumstances exist, agents should consider: (1) the degree of urgency involved, (2) the amount 
of time necessary to obtain a warrant, (3) whether the evidence is about to be removed or destroyed, (4) 
the possibility of danger at the site, (5) information indicating the possessors of the contraband know the 
police are on their trail, and (6) the ready destructibility of the contraband. See United States v. Reed. 
935 E.2d 641, 642 (4th Cir. 1991). 

Exigent circumstances often arise in computer cases because electronic data is perishable. 
Computer commands can destroy data in a matter of seconds, as can humidity, temperature, physical 
mutilation, or magnetic fields created, for example, by passing a strong magnet over a disk. Eor 
example, in United States v. David. 756 E. Supp. 1385 (D. Nev. 1991), agents saw the defendant 
deleting files on his computer memo book, and seized the computer immediately. The district court held 
that the agents did not need a warrant to seize the memo book because the defendant’s acts had created 
exigent circumstances. See id. at 1392. Similarly, in United States v. Romero- Garcia. 991 E. Supp. 

1223, 1225 (D. Or. 1997), aff’d on other grounds 168 E.3d 502 (9th Cir. 1999), a district court held that 
agents had properly accessed the information in an electronic pager in their possession because they had 
reasonably believed that it was necessary to prevent the destruction of evidence. The information stored 
in pagers is readily destroyed, the court noted: incoming messages can delete stored information, and 
batteries can die, erasing the information. Accordingly, the agents were justified in accessing the pager 
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without first acquiring a warrant. See id. See also United States v. Ortiz. 84 F.3d 977, 984 (7th Cir. 
1996) (in conducting search incident to arrest, agents were justified in retrieving numbers from pager 
because pager information is easily destroyed). Of course, in computer cases, as in all others, the 
existence of exigent circumstances is absolutely tied to the facts. Compare Romero -Garcia. 911 F. Supp. 
at 1225 with David. 756 F. Supp at 1392 n.2 (dismissing as “lame” the government’s argument that 
exigent circumstances supported search of a battery-operated computer because the agent did not know 
how much longer the computer’s batteries would live) and United States v. Reyes. 922 F. Supp. 818, 
835-36 (S.D.N.Y. 1996) (concluding that exigent circumstances could not justify search of a pager 
because the government agent unlawfully created the exigency by turning on the pager). 

Importantly, the existence of exigent circumstances does not permit agents to search or seize 
beyond what is necessary to prevent the destruction of the evidence. When the exigency ends, the right 
to conduct warrantless searches does as well: the need to take certain steps to prevent the destruction of 
evidence does not authorize agents to take further steps without a warrant. See United States v. Doe. 61 
F.3d 107, 1 10-1 1 (1st Cir. 1995). Accordingly, the seizure of computer hardware to prevent the 
destruction of information it contains will not ordinarily support a subsequent search of that information 
without a warrant. See David . 756 F. Supp. at 1392. 



3. Plain View 

Evidence of a crime may be seized without a warrant under the plain view exception to the warrant 
requirement. To rely on this exception, the agent must be in a lawful position to observe and access the 
evidence, and its incriminating character must be immediately apparent. See Fforton v. California. 496 
U.S. 128 (1990). For example, if an agent conducts a valid search of a hard drive and comes across 
evidence of an unrelated crime while conducting the search, the agent may seize the evidence under the 
plain view doctrine. 

• The plain view doctrine does not authorize agents to open a computer file and view its contents. 

The contents of an unopened computer file are not in plain view. 

Importantly, the plain view exception cannot justify violations of an individual’s reasonable 
expectation of privacy. The exception merely permits the seizure of evidence that has already been 
viewed in accordance with the Fourth Amendment. In computer cases, this means that the government 

cannot rely on the plain view exception to justify opening a closed computer file.- The contents of a file 
that must be opened to be viewed are not in ‘plain view.’ See United States v. Maxwell . 45 M.J. 406, 
422 (C.A.A.F. 1996). This rule accords with decisions applying the plain view exception to closed 
containers. See, e.g.. United States v. Villarreal. 963 F.2d 770, 776 (5th Cir. 1992) (concluding that 
labels fixed to opaque 55-gallon drums do not expose the contents of the drums to plain view). (“[A] 
label on a container is not an invitation to search it. If the government seeks to learn more than the label 
reveals by opening the container, it generally must obtain a search warrant.”). 

United States v. Carey. 172 F.3d 1268, 1273 (10th Cir. 1999), provides a useful example. In 
Carey, a police detective searching a hard drive with a warrant for drug trafficking evidence opened a 
“jpg” file and instead discovered child pornography. At that point, the detective abandoned the search 
for drug trafficking evidence and spent five hours accessing and downloading several hundred “jpg” 
files in a search for more child pornography. When the defendant moved to exclude the child 
pornography files on the ground that they were seized beyond the scope of the warrant, the government 
argued that the detective had seized the “jpg” files properly because the contents of the contraband files 
were in plain view. The Tenth Circuit rejected this argument with respect to all of the files except for 
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the first “jpg” file the detective discovered. See id. at 1273, 1273 n.4. Although the court’s reasoning is 
somewhat opaque, this aspect of Carey seems sensible. The plain view exception permits agents to seize 
property found in plain view, not to infringe a suspect’s right to privacy until his property comes into 
plain view. As a result, the detective could seize the first “jpg” file that came into plain view when the 
detective was executing the search warrant, but could not rely on the plain view exception to justify the 
search for additional “jpg” files on the defendant’s computers that were beyond the scope of the warrant. 



4. Search Incident to a Lawful Arrest 

Pursuant to a lawful arrest, agents may conduct a “full search” of the arrested person, and a more 
limited search of his surrounding area, without a warrant. See United States v. Robinson. 414 U.S. 218, 
235 (1973); Chimel v. California. 395 U.S. 752, 762-63 (1969). For example, in Robinson, a police 
officer conducting a patdown search incident to an arrest for a traffic offense discovered a crumpled 
cigarette package in the suspect’s left breast pocket. Not knowing what the package contained, the 
officer opened the package and discovered fourteen capsules of heroin. The Supreme Court held that 
the search of the package was permissible, even though the officer had no articulable reason to open the 
package. See id. at 234-35. In light of the general need to preserve evidence and prevent harm to the 
arresting officer, the Court reasoned, it was perse reasonable for an officer to conduct a “full search of 
the person” pursuant to a lawful arrest. Id^ at 235. 

Due to the increasing use of handheld and portable computers and other electronic storage devices, 
agents often encounter computers when conducting searches incident to lawful arrests. Suspects may be 
carrying pagers. Personal Digital Assistants (such as Palm Pilots), or even laptop computers when they 
are arrested. Does the search- incident- to- arrest exception permit an agent to access the memory of an 
electronic storage device found on the arrestee’s person during a warrantless search incident to arrest? 

In the case of electronic pagers, the answer clearly is “yes.” Relying on Robinson, courts have 
uniformly permitted agents to access electronic pagers carried by the arrested person at the time of 
arrest. See United States v. Reyes . 922 F. Supp. 818, 833 (S.D.N.Y. 1996) (holding that accessing 
numbers in a pager found in bag attached to defendant’s wheelchair within twenty minutes of arrest falls 
within search -incident -to- arrest exception); United States v. Chan. 830 F. Supp. 531, 535 (N.D. Cal. 
1993); United States v. Lynch. 908 F. Supp. 284, 287 (D.V.I. 1995); Yu v. United States. 1997 WL 
423070 (S.D.N.Y. 1997); United States v. Thomas. 114 F.3d 403, 404 n.2 (3d Cir. 1997) (dicta). See 
also United States v. Ortiz . 84 F.3d 977, 984 (7th Cir. 1996) (same holding, but relying on an exigency 
theory). 

Courts have not yet addressed whether Robinson will permit warrantless searches of electronic 
storage devices that contain more information than pagers. In the paper world, certainly, cases have 
allowed extensive searches of written materials discovered incident to lawful arrests. For example, 
courts have uniformly held that agents may inspect the entire contents of a suspect’s wallet found on his 
person. See , e.g. . United States v. Castro . 596 F.2d 674, 676 (5th Cir. 1979); United States v. Molinaro. 
877 F.2d 1341, 1347 (7th Cir. 1989) (citing cases). Similarly, one court has held that agents could 
photocopy the entire contents of an address book found on the defendant’s person during the arrest, see 
United States v. Rodriguez . 995 F.2d 776, 778 (7th Cir. 1993), and others have permitted the search of a 
defendant’s briefcase that was at his side at the time of arrest. See , e.g. . United States v. .lohnson . 846 
F.2d 279, 283-84 (5th Cir. 1988); United States v. Lam Muk Chiu. 522 F.2d 330, 332 (2d Cir. 1975). If 
agents can examine the contents of wallets, address books, and briefcases without a warrant, it could be 
argued that they should be able to search their electronic counterparts (such as electronic organizers, 
floppy disks, and Palm Pilots) as well. Cf. United v. Tank. 200 F.3d 627, 632 (9th Cir. 2000) (holding 
that agents searching a car incident to a valid arrest properly seized a Zip disk found in the car, but 
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failing to discuss whether the agents obtained a warrant before searching the disk for images of child 
pornography). 

The limit on this argument is that any search incident to an arrest must be reasonable. See Swain 
V. Spinney . 117 F.3d 1, 6 (1st Cir. 1997). While a search of physical items found on the arrestee’s 
person may always be reasonable, more invasive searches in different circumstances may violate the 
Fourth Amendment. See , e.g. Mary Beth G. v. City of Chicago . 723 F.2d 1263, 1269-71 (7th Cir. 1983) 
(holding that Robinson does not permit strip searches incident to arrest because such searches are not 
reasonable in context). For example, the increasing storage capacity of handheld computers suggests 
that Robinson’ s bright line rule may not always apply in the case of electronic searches. Courts may 
conclude that a quick search through a pager that stores a few phone numbers is reasonable incident to 
an arrest, but that a very time-consuming search through a handheld computer that contains an entire 
warehouse of information presents a different case. Cf. United States v. O’Razvi. 1998 WL 405048, at 
*7 n.7 (S.D.N.Y. 1998). When in doubt, agents should obtain a search warrant before examining the 
contents of electronic storage devices that might contain large amounts of information. 



5. Inventory Searches 

Law enforcement officers routinely inventory the items they have seized. Such “inventory 
searches” are reasonable — and therefore fall under an exception to the warrant requirement — when 
two conditions are met. First, the search must serve a legitimate, non-investigatory purpose (e.g., to 
protect an owner’s property while in custody; to insure against claims of lost, stolen, or vandalized 
property; or to guard the police from danger) that outweighs the intrusion on the individual’s Fourth 
Amendment rights. See Illinois v. Lafayette. 462 U.S. 640, 644 (1983); South Dakota v. Opperman. 428 
U.S. 364, 369 (1976). Second, the search must follow standardized procedures. See Colorado v. 

Bertine . 479 U.S. 367, 374 n.6 (1987); Florida v. We1 1s. 495 U.S. 1, 4-5 (1990). 

It is unlikely that the inventory -search exception to the warrant requirement would support a 
search through seized computer files. See O’Razvi. 1998 WL 405048, at *6-7 (noting the difficulties of 
applying the inventory -search requirements to computer disks). Even assuming that standard procedures 
authorized such a search, the legitimate purposes served by inventory searches in the physical world do 
not translate well into the intangible realm. Information does not generally need to be reviewed to be 
protected, and does not pose a risk of physical danger. Although an owner could claim that his 
computer files were altered or deleted while in police custody, examining the contents of the files would 
offer little protection from tampering. Accordingly, agents will generally need to obtain a search warrant 
in order to examine seized computer files held in custody. 



6. Border Searches 

In order to protect the government’s ability to monitor contraband and other property that may 
enter or exit the United States illegally, the Supreme Court has recognized a special exception to the 
warrant requirement for searches that occur at the border of the United States. According to the Court, 
“routine searches” at the border or its functional equivalent do not require a warrant, probable cause, or 
even reasonable suspicion that the search may uncover contraband or evidence. United States v. 
Montoya De Hernandez. 473 U.S. 531, 538 (1985). Searches that are especially intrusive require at least 
reasonable suspicion, however. See id. . at 541. These rules apply to people and property both entering 
and exiting the United States. See United States v. Oriakhi. 57 F.3d 1290, 1297 (4th Cir. 1995). 
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At least one court has interpreted the border search exception to permit a warrantless search of a 
computer disk for contraband computer files. In United States v. Roberts. 86 F. Supp.2d 678 (S.D. Tex. 
2000), United States Customs Agents learned that William Roberts, a suspect believed to be carrying 
computerized images of child pornography, was scheduled to fly from Houston, Texas to Paris, France 
on a particular day. On the day of the flight, the agents set up an inspection area in the jetway at the 
Houston airport with the sole purpose of searching Roberts. Roberts arrived at the inspection area and 
was told by the agents that they were searching for “currency” and “high technology or other data” that 
could not be exported legally. Id at 681. After the agents searched Roberts’ property and found a laptop 
computer and six Zip diskettes, Roberts agreed to sign a consent form permitting the agents to search his 
property. A subsequent search revealed several thousand images of child pornography. See id. at 682. 
When charges were brought, Roberts moved for suppression of the computer files, but the district court 
ruled that the search had not violated the Fourth Amendment. According to the court, the search of 
Roberts’ luggage had been a “routine search” for which no suspicion was required, even though the 
justification for the search offered by the agents merely had been a pretext. See id. at 686 (citing Whren 
V. United States . 517 U.S. 806 (1996)). The court also concluded that Roberts’ consent justified the 
search of the laptop and diskettes, and indicated that even if Roberts had not consented to the search, “[t] 
he search of the defendant’s computer and diskettes would have been a routine export search, valid 
under the Fourth Amendment.” See Roberts . 98 F. Supp.2d at 688. 

Importantly, agents and prosecutors should not interpret Roberts as permitting the interception of 
data transmitted electronically to and from the United States. Any real-time interception of 
electronically transmitted data in the United States must comply strictly with the requirements of Title 
III, 18 U.S.C. §§ 2510-22. See generally Chapter 4. Further, once electronically transferred data from 
outside the United States arrives at its destination within the United States, the government ordinarily 
cannot rely on the border search exception to search for and seize the data because the data is no longer 
at the border or its functional equivalent. Cf.Almeida-Sanchez v. United States . 413 U.S. 266, 273-74 
(1973) (concluding that a search that occurred 25 miles from the United States border did not qualify for 
the border search exception, even though the search occurred on a highway known as a common route 
for illegal aliens, because it did not occur at the border or its functional equivalent). 



7. International Issues 

Outside the United States border, searching and seizing electronic evidence raises difficult 
questions of both law and policy. Because the Internet is a global network, international issues may 
arise in many cases; even a domestic investigation may involve a computer system, data, witness or 
subject located in a foreign jurisdiction. In such cases, the Fourth Amendment may or may not apply, 
depending on the circumstances. See generally United States v. Verdugo-Urquidez. 494 U.S. 259 
(1990) (considering the extent to which the Fourth Amendment applies to searches outside of the United 
States). However, international policies regarding sovereignty and privacy may require the United 
States to take actions ranging from informal notice to a formal request for assistance to the country 
concerned. 

This manual will not attempt to provide detailed guidance on how to resolve international issues 
that arise in such cases. Investigators and prosecutors should contact the Office of International Affairs 
at (202) 514-0000 for assistance. However, a few basic principles can be stated here. The United States 
maintains approximately 40 bilateral mutual legal assistance treaty relationships and many other 
relationships pursuant to letters rogatory or other longstanding means of cooperation. While 
with respect to computer and electronic evidence is under further development internationally, these 
treaty structures and ongoing relationships continue to provide the legal and practical means by which 
the United States both seeks and provides legal assistance. When agents learn prior to a search that 
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some of all of the data to be searched is located in a foreign jurisdiction, they should seek advice from 
the Office of International Affairs as to the need for and appropriate means to seek assistance from that 
country. 

When immediate international assistance is required, the international network of 24-hour Points 
of Contact established by the High-tech Crime Subgroup of the G-8 countries can provide assistance, 
such as preserving data and assisting in real-time tracing of cross-border communications. See generally 
Michael A. Sussmann, The Critical Challenges from International High-Tech and Computer -Related 
Crime at the Millennium, 9 Duke J. Comp. & Int’l L. 451, 484 (1999). The network is available twenty- 
four hours a day to respond to urgent requests for assistance in international high-tech crime 
investigations, or cases involving electronic evidence. The membership currently includes Australia, 
Brazil, Canada, Denmark, Finland, France, Germany, Italy, Japan, Republic of Korea, Luxembourg, 
Russia, Spain, Sweden, United Kingdom, and the United States, and continues to grow. The Point of 
Contact for the United States is CCIPS, which can be contacted at (202) 514-1026 during regular 
business hours, or, after hours, through the DOJ Command Center at (202) 514-5000. CCIPS also has 
computer crime law enforcement contacts in countries beyond members of the network; agents and 
prosecutors can call CCIPS for assistance. 

Finally, international issues may also arise when the United States responds to foreign requests for 
international legal assistance for computer and electronic evidence. Investigators and prosecutors can 
the Office of International Affairs ((202) 514-0000) or CCIPS for additional advice. 



D. Special Case: Workplace Searches 

Warrantless workplace searches deserve a separate analysis because they occur often in computer 
cases and raise unusually complicated legal issues. The primary cause of the analytical difficulty is the 
Supreme Court’s complex decision in O’Connor v. Ortega . 480 U.S. 709 (1987). Under O’Connor, the 
legality of warrantless workplace searches depends on often- subtle factual distinctions such as whether 
the workplace is public sector or private sector, whether employment policies exist that authorize a 
search, and whether the search is work -related. 

Every warrantless workplace search must be evaluated carefully on its facts. In general, however, 
law enforcement officers can conduct a warrantless search of private t i.e.. non- government) workplaces 
only if the officers obtain the consent of either the employer or another employee with common 
authority over the area searched. In public t i.e.. government) workplaces, officers cannot rely on an 
employer’ s consent, but can conduct searches if written employment policies or office practices 
establish that the government employees targeted by the search cannot reasonably expect privacy in their 
workspace. Further, government employers and supervisors can conduct reasonable work -related 
searches of employee workspaces without a warrant even if the searches violate employees ’ reasonable 
expectation of privacy. 

One cautionary note is in order before we proceed. This discussion evaluates the legality of 
warrantless workplace searches of computers under the Fourth Amendment. In many cases, however, 
workplace searches will implicate federal privacy statutes in addition to the Fourth Amendment. For 
example, efforts to obtain an employee’s files and e-mail from the employer’s network server raise 
issues under the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11 (discussed in Chapter 
3), and workplace monitoring of an employee’s Internet use implicates Title III, 18 U.S.C. §§ 2510-22 
(discussed in Chapter 4). Before conducting a workplace search, investigators must make sure that their 
search will not violate either the Eourth Amendment or relevant federal privacy statutes. Investigators 
should contact CCIPS at (202) 514-1026 or the CTC in their district for further assistance. 
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1. Private Sector Workplace Searches 

The rules for conducting warrantless searches and seizures in private- sector workplaces generally 
mirror the rules for conducting warrantless searches in homes and other personal residences. Private 
company employees generally retain a reasonable expectation of privacy in their workplaces. As a 
result, private -workplace searches by law enforcement will usually require a warrant unless the agents 
can obtain the consent of an employer or a co-worker with common authority. 



a) Reasonable Expectation of Privacy in Private- Sector Workplaces 

Private- sector employees will usually retain a reasonable expectation of privacy in their office 
space. In Mancusi v. DeForte. 392 U.S. 364 (1968), police officers conducted a warrantless search of an 
office at a local union headquarters that defendant Frank DeForte shared with several other union 
officials. In response to DeForte ’s claim that the search violated his Fourth Amendment rights, the 
police officers argued that the joint use of the space by DeForte ’s co-workers made his expectation of 
privacy unreasonable. The Court disagreed, stating that DeForte “still could reasonably have expected 
that only [his officemates] and their personal or business guests would enter the office, and that records 
would not be touched except with their permission or that of union higher-ups.” Id. at 369. Because 
only a specific group of people actually enjoyed joint access and use of DeForte’ s office, the officers’ 
presence violated DeForte ’s reasonable expectation of privacy. See id. See also United States v. Most. 
876 F.2d 191, 198 (D.C. Cir. 1989) (“[A]n individual need not shut himself off from the world in order 
to retain his fourth amendment rights. He may invite his friends into his home but exclude the police; he 
may share his office with co-workers without consenting to an official search.”); United States v. Lyons. 
706 F.2d 321, 325 (D.C. Cir. 1983) (“One may freely admit guests of one’s choosing — or be legally 
obligated to admit specific persons — without sacrificing one’s right to expect that a space will remain 
secure against all others.”). As a practical matter, then, private employees will generally retain an 
expectation of privacy in their work space unless that space is “open to the world at large.” Id at 326. 



b) Consent in Private Sector -Workplaces 

Although most non -government workplaces will support a reasonable expectation of privacy from 
a law enforcement search, agents can defeat this expectation by obtaining the consent of a party who 
exercises common authority over the area searched. See Matlock . 415 U.S. at 171. In practice, this 
means that agents can often overcome the warrant requirement by obtaining the consent of the target’s 
employer or supervisor. Depending on the facts, a co-worker’s consent may suffice as well. 

Private- sector employers and supervisors generally enjoy a broad authority to consent to searches 
in the workplace. For example, in United States v. Gargiso. 456 F.2d 584 (2d Cir. 1972), a pre - Matlock 
case, agents conducting a criminal investigation of an employee of a private company sought access to a 
locked, wired-off area in the employer’s basement. The agents explained their needs to the company’s 
vice-president, who took the agents to the basement and opened the basement with his key. When the 
employee attempted to suppress the evidence that the agents discovered in the basement, the court held 
that the vice-president’s consent was effective. Because the vice-president shared supervisory power 
over the basement with the employee, the court reasoned, he could consent to the agents’ search of that 
area. Id at 586-87. See also United States v. Bilanzich . 771 F.2d 292, 296-97 (7th Cir. 1985) (holding 
that the owner of a hotel could consent to search of locked room used by hotel employee to store 
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records, even though owner did not carry a key, because employee worked at owner’s biddingl: J.L. Foti 
Constr. Co. v. Donovan . 786 F.2d 714, 716-17 (6th Cir. 1986) (per curiam) (holding that a general 
contractor’s superintendent could consent to an inspection of an entire construction site, including 
subcontractor’s work area). In a close case, an employment policy or computer network banner that 
establishes the employer’ s right to consent to a workplace search can help establish the employer’ s 
common authority to consent under Matlock . See Appendix A . 

Agents should be careful about relying on a co-worker’s consent to conduct a workplace search. 
While employers generally retain the right to access their employees’ work spaces, co-workers may or 
may not, depending on the facts. When co-workers do exercise common authority over a workspace, 
however, investigators can rely on a co-worker’s consent to search that space. For example, in United 
States V. Buettner-Janusch. 646 F.2d 759 (2d Cir. 1981), a professor and an undergraduate research 
assistant at New York University consented to a search of an NYU laboratory managed by a second 
professor suspected of using his laboratory to manufacture LSD and other drugs. Although the search 
involved opening vials and several other closed containers, the Second Circuit held that Matlock 
authorized the search because both consenting co-workers had been authorized to make full use of the 
lab for their research. See id. at 765 -66. See also United States v. .lenkins. 46 F.3d 447, 455-58 (5th 
Cir. 1995) (allowing an employee to consent to a search of the employer’s property); United States v. 
Murphy. 506 F.2d 529, 530 (9th Cir. 1974) (per curiam) (same); United States v. Longo. 70 F. Supp.2d 
225, 256 (W.D.N.Y. 1999) (allowing secretary to consent to search of employer’s computer). But see 
United States v. Buitrago Pelaez . 961 F. Supp. 64, 67-68 (S.D.N.Y. 1997) (holding that a receptionist 
could consent to a general search of the office, but not of a locked safe to which receptionist did not 
know the combination). 



c) Employer Searches in Private -Sector Workplaces 

Warrantless workplace searches by private employers rarely violate the Fourth Amendment. So 
long as the employer is not acting as an instrument or agent of the Government at the time of the search, 
the search is a private search and the Fourth Amendment does not apply. See Skinner v. Railway Labor 
Executives’ Ass’n. 489 U.S. 602, 614 (1989). 



2. Public-Sector Workplace Searches 

Although warrantless computer searches in private -sector workplaces follow familiar Fourth 
Amendment rules, the application of the Fourth Amendment to public -sector workplace searches of 
computers presents a different matter. In O’Connor v. Ortega. 480 U.S. 709 (1987), the Supreme Court 
introduced a distinct framework for evaluating warrantless searches in government workplaces that 
applies to computer searches. According to O’Connor, a government employee can enjoy a reasonable 
expectation of privacy in his workplace. See id at 717 (O ’Connor, J., plurality opinion); Id at 721 
(Scalia, J., concurring). However, an expectation of privacy becomes unreasonable if “actual office 
practices and procedures, or . . . legitimate regulation” permit the employee’s supervisor, co-workers, or 
the public to enter the employee’s workspace. Id at 717 (O’Connor, J., plurality opinion). Further, 
employers can conduct “reasonable” warrantless searches even if the searches violate an employee’s 
reasonable expectation of privacy. Such searches include work -related, noninvestigatory intrusions 
(e.g., entering an employee’s locked office to retrieve a file) and reasonable investigations into work- 
related misconduct. See id. at 725-26 (O’Connor, J., plurality opinion); Id. at 732 (Scalia, J., 
concurring). 
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a) Reasonable Expectation of Privacy in Public Workplaces 

The reasonable expectation of privacy test formulated by the O’Connor plurality asks whether a 
government employee’s workspace is “so open to fellow employees or to the public that no expectation 
of privacy is reasonable.” O’Connor. 480 U.S. at 718 (plurality opinion). This standard differs 
significantly from the standard analysis applied in private workplaces. Whereas private-sector 
employees enjoy a reasonable expectation of privacy in their workspace unless the space is “open to the 
world at large,” Lyons. 706 F.2d at 326, government employees retain a reasonable expectation of 
privacy in the workplace only if a case -by-case inquiry into “actual office practices and procedures” 
shows that it is reasonable for employees to expect that others will not enter their space. See O’Connor. 
480 U.S. at 717 (plurality opinionl: Rossi v. Town of Pelham. 35 F. Supp.2d. 58, 63 (D.N.H. 1997). See 
also O’Connor . 480 U.S. at 730-31 (Scalia, J., concurring) (noting the difference between the 
expectation -of- privacy analysis offered by the O’Connor plurality and that traditionally applied in 
private workplace searches). From a practical standpoint, then, public employees are less likely to retain 
a reasonable expectation of privacy against government searches at work than are private employees. 

Courts evaluating public employees ’ reasonable expectation of privacy in the wake of O’ Connor 
have considered the following factors: whether the work area in question is assigned solely to the 
employee; whether others have access to the space; whether the nature of the employment requires a 
close working relationship with others; whether office regulations place employees on notice that certain 
areas are subject to search; and whether the property searched is public or private. See Vega-Rodriguez 
V. Puerto Rico Tel. Co.. 110 F.3d 174, 179-80 (1st Cir. 1997) (summarizing cases); United States v. 
Mancini . 8 F.3d 104, 109 (1st Cir. 1993). In general, the courts have rejected claims of an expectation 
of privacy in an office when the employee knew or should have known that others could access the 
employee’s workspace. See e.g.. Sheppard v. Beerman. 18 F.3d 147, 152 (2d Cir. 1994) (holding that 
judge’s search through his law clerk’s desk and file cabinets did not violate the clerk’s reasonable 
expectation of privacy because of the clerk’s close working relationship with the judge); Schowengerdt 
V. United States . 944 F.2d 483, 488 (9th Cir. 1991) (holding that civilian engineer employed by the 
Navy who worked with classified documents at an ordinance plant had no reasonable expectation of 
privacy in his office because investigators were known to search employees’ offices for evidence of 
misconduct on a regular basis). But see United States v. Taketa. 923 F.2d 665, 673 (9th Cir. 1991) 
(concluding in dicta that public employee retained expectation of privacy in office shared with several 
co-workers). In contrast, the courts have found that a search violates a public employee’s reasonable 
expectation of privacy when the employee had no reason to expect that others would access the space 
searched. See O’Connor . 480 U.S. at 718-19 (plurality) (holding that physician at state hospital retained 
expectation of privacy in his desk and file cabinets where there was no evidence that other employees 
could enter his office and access its contents); Rossi, 35 F. Supp.2d at 64 (holding that town clerk 
enjoyed reasonable expectation of privacy in 8' x 8' office that the public could not access and other 
town employees did not enter). 

While agents must evaluate whether a public employee retains a reasonable expectation of privacy 
in the workplace on a case-by-case basis, official written employment policies can simplify the task 
dramatically. See O’Connor, 480 U.S. at 717 (plurality) (noting that “legitimate regulation” of the work 
place can reduce public employees’ Fourth Amendment protections). Courts have uniformly deferred to 
public employers’ official policies that expressly authorize access to the employee’s workspace, and 
have relied on such policies when ruling that the employee cannot retain a reasonable expectation of 
privacy in the workplace. See American Postal Workers Union. Columbus Area Local AFL-CIO v. 
United States Postal Serv. . 871 F.2d 556, 56-61 (6th Cir. 1989) (holding that postal employees retained 
no reasonable expectation of privacy in contents of government lockers after signing waivers stating that 
lockers were subject to inspection at any time, even though lockers contained personal items); United 
States V. Bunkers . 521 F.2d 1217, 1219-1220 (9th Cir. 1975) (same, noting language in postal manual 
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stating that locker is “subject to search by supervisors and postal inspectors”). Of course, whether a 
specific policy eliminates a reasonable expectation of privacy is a factual question. Employment policies 
that do not explicitly address employee privacy may prove insufficient to eliminate Fourth Amendment 
protection. See, e.g.. Taketa . 923 F.2d at 672-73 (concluding that regulation requiring DEA employees 
to “maintain clean desks” did not defeat workplace expectation of privacy of non-DEA employee 
assigned to DEA office). 

• When planning to search a government computer in a government workplace, agents should look 

for official employment policies or “banners ” that can eliminate a reasonable expectation of 

privacy in the computer. 

Written employment policies and “banners” are particularly important in cases that consider 
whether government employees enjoy a reasonable expectation of privacy in government computers. 
Banners are written notices that greet users before they log on to a computer or computer network, and 
can inform users of the privacy rights that they do or do not retain in their use of the computer or 
network. See generally Appendix A . 

In general, government employees who are notified that their employer has retained rights to 
access or inspect information stored on the employer’s computers can have no reasonable expectation of 
privacy in the information stored there. For example, in United States v. Simons. 206 F.3d 392 (4th Cir. 
2000), computer specialists at a division of the Central Intelligence Agency learned that an employee 
named Mark Simons had been using his desktop computer at work to obtain pornography available on 
the Internet, in violation of CIA policy. The computer specialists accessed Simons’ computer remotely 
without a warrant, and obtained copies of over a thousands picture files that Simons had stored on his 
hard drive. Many of these picture files contained child pornography, which were turned over to law 
enforcement. When Simons filed a motion to suppress the fruits of the remote search of his hard drive, 
the Fourth Circuit held that the CIA division’s official Internet usage policy eliminated any reasonable 
expectation of privacy that Simons might otherwise have in the copied files. See id. at 398. The policy 
stated that the CIA division would “periodically audit, inspect, and/or monitor [each] user’s Internet 
access as deemed appropriate,” and that such auditing would be implemented “to support identification, 
termination, and prosecution of unauthorized activity.” Id at 395-96. Simons did not deny that he was 
aware of the policy. See id.v at 398 n.8. In light of the policy, the Fourth Circuit held, Simons did not 
retain a reasonable expectation of privacy “with regard to the record or fruits of his Internet use,” 
including the files he had downloaded. Id. at 398. 

Other courts have agreed with the approach articulated in Simons and have held that banners and 
policies generally eliminate a reasonable expectation of privacy in contents stored in a government 
employee’s network account. See Wasson v. Sonoma County .lunior College. 4 F. Supp.2d 893, 905-06 
(N.D. Cal. 1997) (holding that public employer’s computer policy giving the employer “the right to 
access all information stored on [the employer’s] computers” defeats an employee’s reasonable 
expectation of privacy in files stored on employer’s computers); Bohach v. City of Reno. 932 F. Supp. 
1232, 1235 (D. Nev. 1996) (holding that police officers did not retain a reasonable expectation of 
privacy in their use of a pager system, in part because the Chief of Police had issued an order 
announcing that all messages would be logged); United States v. Monroe. 52 M.J. 326 (C.A.A.F. 2000) 
(holding that Air Force sergeant did not have a reasonable expectation of privacy in his government e- 
mail account because e-mail use was reserved for official business and network banner informed each 
user upon logging on to the network that use was subject to monitoring). But see DeMaine v. Samuels. 
2000 WF 1658586, at *7 (D. Conn. 2000) (suggesting that the existence of an employment manual 
explicitly authorizing searches “weighs heavily” in the determination of whether a government 
employee retained a reasonable expectation of privacy at work, but “does not, on its own, dispose of the 
question”). 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 



CCIPSfinal 



Page 29 of 139 



Of course, whether a specific policy eliminates a reasonable expectation of privacy is a factual 
question. Agents and prosecutors must consider whether a given policy is sufficiently broad that it 
reasonably contemplates the search to be conducted. If the policy is narrow, it may not waive the 
government employee’s reasonable expectation of privacy against the search that the government plans 
to execute. For example, in Simons, the Fourth Circuit concluded that although the CIA division’ s 
Internet usage policy eliminated Simons ’ reasonable expectation of privacy in the fruits of his Internet 
use, it did not eliminate his reasonable expectation of privacy in the physical confines of his office. See 
Simons . 206 F.3d at 399 n.lO. Accordingly, the policy by itself was insufficient to justify a physical 
entry into Simons ’ office. See id. at 399. See also Taketa . 923 F.2d at 672-73 (concluding that 
regulation requiring DBA employees to “maintain clean desks” did not defeat workplace expectation of 
privacy of non-DEA employee assigned to DEA office). Sample banners appear in Appendix A. 



b) “Reasonable” Workplace Searches Under O’Connor v. Ortega 

• Government employers and their agents can conduct “reasonable” work-related searches even if 
those searches violate an employee ’s reasonable expectation of privacy. 

In most circumstances, a warrant must be obtained before a government actor can conduct a search 
that violates an individual’s reasonable expectation of privacy. In the context of government 
employment, however, the government’s role as an employer (as opposed to its role as a law -enforcer) 
presents a special case. In O’Connor, the Supreme Court held that a public employer or the employer’s 
agent can conduct a workplace search that violates a public employee’ s reasonable expectation of 
privacy so long as the search is “reasonable.” See O’Connor . 480 U.S. at 722-23 (plurality); IfL at 732 
(Scalia, J., concurring). The Court’s decision adds public workplace searches by employers to the list 
of “special needs” exceptions to the warrant requirement. The “special needs” exceptions permit the 
government to dispense with the usual warrant requirement when its officials infringe upon protected 
privacy rights in the course of acting in a non- law enforcement capacity. See, e.g.. New .lersey v. 
T.E.O. . 469 U.S. 325, 351 (1985) (Blackmun, J., concurring) (applying the “special needs” exception to 
permit public school officials to search student property without a warrant in an effort to maintain 
discipline and order in public schools); National Treasury Employees Union v. Von Raab. 489 U.S. 656, 
677 (1989) (applying the “special needs” exception to permit warrantless drug testing of Customs 
employees who seek promotions to positions where they would handle sensitive information). In these 
cases, the Court has held that the need for government officials to pursue legitimate non-law - 
enforcement aims justifies a relaxing of the warrant requirement because “the burden of obtaining a 
warrant is likely to frustrate the [non -law -enforcement] governmental purpose behind the search.” 
O’Connor . 480 U.S. at 720 (quoting Camara v. Municipal Court. 387 U.S. 523, 533 (1967)). 

According to O’Connor, a warrantless search must satisfy two requirements to qualify as 
“reasonable.” Eirst, the employer or his agents must participate in the search for a work-related reason, 
rather than merely to obtain evidence for use in criminal proceedings. Second, the search must be 
justified at its inception and permissible in its scope. 



i) The Search Must Be Work-Related 

The first element of O’Connor ’s reasonableness test requires that the employer or his agents must 
participate in the search for a work-related reason, rather than merely to obtain evidence for use in 
criminal proceedings. See O’Connor. 480 U.S. at 721. This element limits the O’Connor exception to 
circumstances in which the government actors who conduct the search act in their capacity as 
employers, rather than law enforcers. The O’Connor Court specified two such circumstances. Eirst, the 
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Court concluded that public employers can conduct reasonable work-related noninvestigatory intrusions, 
such as entering an employee’s office to retrieve a file or report while the employee is out. See id. at 
722 (plurality); Id^ at 732 (Scalia, J., concurring). Second, the Court concluded that employers can 
conduct reasonable investigations into an employee’ s work-related misconduct, such as entering an 
employee’ s office to investigate employee misfeasance that threatens the efficient and proper operation 
of the office. See id. at 724 (plurality); at 732 (Scalia, J., concurring). 

The line between a legitimate work- related search and an illegitimate search for criminal evidence 
is clear in theory, but often blurry in fact. Public employers who learn of misconduct at work may 
investigate it with dual motives: they may seek evidence both to root out “inefficiency, incompetence, 
mismanagement, or other work -related misfeasance,” id^ at 724, and also to collect evidence for a 
criminal prosecution. Indeed, the two categories may merge altogether. For example, government 
officials who have criminal investigators under their command may respond to allegations of work- 
related misconduct by directing the investigators to search employee offices for evidence of a crime. 

The courts have adopted fairly generous interpretations of O’Connor when confronted with mixed- 
motive searches. In general, the presence and involvement of law enforcement officers will not 
invalidate the search so long as the employer or his agent participates in the search for legitimate work- 
related reasons. See , e.g. . Gossmeyer v. McDonald . 128 F.3d 481, 492 (7th Cir. 1997) (concluding that 
presence of law enforcement officers in a search team looking for evidence of work- related misconduct 
does not transform search into an illegitimate law enforcement search); Taketa . 923 F.2d at 674 
(concluding that search of DEA office space by DEA agents investigating allegations of illegal 
wiretapping “was an internal investigation directed at uncovering work-related employee misconduct.”). 
Shields v. Burge . 874 E.2d 1201, 1202-05 (7th Cir. 1989) (applying the O’Connor exception to an 
internal affairs investigation of a police sergeant that paralleled a criminal investigation); Ross v. 

Hinton . 740 E. Supp. 451, 458 (S.D. Ohio 1990) (concluding that a public employer’s discussions with 
law enforcement officer concerning employee’s alleged criminal misconduct, culminating in officer’s 
advice to “secure” the employee’s files, did not transform employer’s subsequent search of employee’s 
office into a law enforcement search). 

Although the presence of law enforcement officers ordinarily will not invalidate a work -related 
search, a few courts have indicated that whether O’Connor applies depends as much on the identity of 
the personnel who conduct the search as whether the purpose of the search is work -related. Eor 
example, in United States v. Simons. 206 E.3d 392, 400 (4th Cir. 2000), the Eourth Circuit concluded 
that O’Connor authorized the search of a government employee’s office by his supervisor even though 
the dominant purpose of the search was to uncover evidence of a crime. Because the search was 
conducted by the employee’s supervisor, the Court indicated, it fell within the scope of O’Connor . See 
id. (“[The employer] did not lose its special need for the efficient and proper operation of the workplace 
merely because the evidence obtained was evidence of a crime.”) (internal quotations and citations 
omitted). Conversely, one district court has held that the O’Connor exception did not apply when a 
government employer sent a uniformed police officer to an employee’s office, even though the purpose 
of the police officer’s presence was entirely work -related. See Rossi v. Town of Pelham. 35 E. Supp. 2d 
58, 65-66 (D.N.H. 1997) (civil action pursuant to 42 U.S.C. § 1983) (concluding that O’Connor 
exception did not apply when town officials sent a single police officer to town clerk’s office to ensure 
that clerk did not remove public records from her office before a scheduled audit could occur; the 
resulting search was a “police intrusion” rather than an “employer intrusion”). 

Of course, courts will invalidate warrantless workplace searches when the facts establish that law 
enforcement provided the true impetus for the search, and the search violated an employee’ s reasonable 
expectation of privacy. See United States v. Hagarty. 388 E. 2d 713, 717 (7th Cir. 1968) (holding that 
surveillance installed by criminal investigators violated the Eourth Amendment where purpose of 
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surveillance was “to detect criminal activity” rather than “to supervise and investigate” a government 
employee); United States v. Kahan. 350 F. Supp. 784, 791 (S.D.N.Y. 1972), rev’d in part on other 
grounds . 479 F.2d 290 (2d Cir. 1973), rev’d with directions to reinstate the district court judgment. 415 
U.S. 239 (1974) (invalidating warrantless search of INS employee’s wastebasket by INS criminal 
investigator who searched the employee’s wastebasket for evidence of a crime every day after work with 
the employer’s consent). 



ii) The Search Must Be Justified At Its Inception And Permissible In Its Scope 

To be “reasonable” under the Fourth Amendment, a work- related employer search of the type 
endorsed in O’Connor m ust also be both “justified at its inception,” and “permissible in its scope.” 
O’Connor. 480 U.S. at 726 (plurality). A search will be justified at its inception “when there are 
reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of 
work -related misconduct, or that the search is necessary for a noninvestigatory work- related purpose.” 
Id. See , e.g. . Simons . 206 F.3d at 401 (holding that entrance into employee’s office to seize his 
was justified at its inception because employer knew that employee had used the computer to download 
child pornography); Gossmeyer. 128 F.3d at 491 (holding that co-worker’s specific allegations of 
serious misconduct made Sheriff’s search of Child Protective Investigator’s locked desk and file 
cabinets justified at its inception); Taketa. 923 F.2d at 674 (concluding that report of misconduct 
justified initial search of employee’s office); Shields, 874 F.2d at 1204 (suggesting in dicta that search 
police officer’s desk for narcotics pursuant to internal affairs investigation might be reasonable 
following an anonymous tip); DeMaine v. Samuels. 2000 WL 1658586, at * 10 (D. Conn. 2000) 

(holding that search of police officer’s day planner was justified by information from two reliable 
sources that the officer kept detailed attendance notes relevant to overtime investigation involving other 
officers); Williams v. Philadelphia Housing Auth. . 826 F. Supp. 952, 954 (E.D. Pa. 1993) (concluding 
that employee’ s search for a computer disk in employee’ s office was justified at its inception because 
employer needed contents of disk for official purposes). CompareOrtega v. O’Connor. 146 F.3d 1 149, 

1 162 (9th Cir. 1998) (concluding that vague, uncorroborated and stale complaints of misconduct do not 
justify a decision to search an employee’s office). 

A search will be “permissible in its scope” when “the measures adopted are reasonably related to 
the objectives of the search and [are] not excessively intrusive in light of the nature of the misconduct.” 
O’Connor . 480 U.S. at 726 (plurality) (internal quotations omitted). This standard requires employers 
and their agents to tailor work-related searches to the alleged misfeasance. See , e.g.. Simons. 206 F.3d at 
401 (holding that search for child pornography believed to be stored in employee’s computer was 
permissible in scope because individual who conducted the search “simply crossed the floor of [the 
defendant’s] office, switched hard drives, and exited”); Gossmeyer. 128 F.3d at 491 (concluding that 
workplace search for images of child pornography was permissible in scope because it was limited to 
places where such images would likely be storedl: Samuels. 2000 WL 1658586, at *10 (holding that 
search through police officer’ s day planner was reasonable because Internal Affairs investigators had 
reason to believe day planner contained information relevant to investigation of overtime abuse). If 
employers conduct a search that unreasonably exceeds the scope necessary to pursue the employer’s 
legitimate work -related objectives, the search will be “unreasonable” and will violate the Fourth 
Amendment. See O’Connor . 146 F.3d at 1163 (concluding that “a general and unbounded” search of an 
employee’ s desk, cabinets, and personal papers was impermissible in scope where the search team did 
not attempt to limit their investigation to evidence of alleged misconduct). 



c) Consent in Public- Sector Workplaces 
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Although public employers may search employees ’ workplaces without a warrant for work-related 
reasons, public workplaces offer a more restrictive milieu in one respect. In government workplaces, 
employers acting in their official capacity generally cannot consent to a law enforcement search of their 
employees’ offices. See United States v. Blok. 188 F.2d 1019, 1021 (D.C. Cir. 1951) (concluding that a 
government supervisor cannot consent to a law enforcement search of a government employee’s desk); 
Taketa . 923 F.2d at 673; Kahan. 350 F. Supp. at 791. The rationale for this result is that the Fourth 
Amendment cannot permit one government official to consent to a search by another. See Blok. 188 
F.2d at 1021 (“Operation of a government agency and enforcement of criminal law do not amalgamate 
to give a right of search beyond the scope of either.”). Accordingly, law enforcement searches 
conducted pursuant to a public employer’s consent must be evaluated under O’Connor rather than the 
third-party consent rules of Matlock . The question in such cases is not whether the public employer had 
common authority to consent to the search, but rather whether the combined law enforcement and 
employer search satisfied the Fourth Amendment standards of O’Connor v. Ortega . 



II. SEARCHING AND SEIZING COMPUTERS WITH A WARRANT 



A. Introduction 

The legal framework for searching and seizing computers with a warrant largely mirrors the legal 
framework for more traditional types of searches and seizures. As with any kind of search pursuant to a 
warrant, law enforcement must establish “probable cause, supported by Oath or affirmation,” and must 
“particularly describ[e] the place to be searched, and the persons or things to be seized.” U.S. Const. 
Amend. 4. 

Despite the common legal framework, computer searches differ from other searches because 
computer technologies frequently force agents to execute computer searches in nontraditional ways. 
Consider the traditional case of a warrant to seize a stolen car from a private parking lot. Agents 
generally can assume that the lot will still exist in its prior location when the agents execute the search, 
and can assume they will be able to identify the stolen car quickly based on the car’s model, make, 
license plate, or Vehicle Identification Number. As a result, the process of drafting the warrant and 
executing the search is relatively simple. After the agents establish probable cause and describe the car 
and lot to the magistrate judge, the magistrate judge can issue the warrant authorizing the agents to go to 
the lot and retrieve the car. 

Searches for computer files tend to be more complicated. Because computer files consist of 
electrical impulses that can be stored on the head of a pin and moved around the world in an instant, 
agents may not know where computer files are stored, or in what form. Files may be stored on a floppy 
diskette, on a hidden directory in a suspect’s laptop, or on a remote server located thousands of miles 
away. The files may be encrypted, misleadingly titled, stored in unusual file formats, or commingled 
with millions of unrelated, innocuous, and even statutorily protected files. As a result of these 
uncertainties, agents cannot simply establish probable cause, describe the files they need, and then “go” 
and “retrieve” the data. Instead, they must understand the technical limits of different search techniques, 
plan the search carefully, and then draft the warrant in a manner that authorizes the agents to take 
necessary steps to obtain the evidence they need. 

Searching and seizing computers with a warrant is as much an art as a science. In general, 
however, agents and prosecutors have found that they can maximize the likelihood of a successful 
search and seizure by following these four steps: 
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1) Assemble a team consisting of the case agent, the prosecutor, 
and a technical expert as far in advance of the search as possible. 

Although the lead investigating agent is the central figure in most searches, computer searches 
generally require a team with three important players: the agent, the prosecutor, and a technical 
specialist with expertise in computers and computer forensics. In most computer searches, the case 
agent organizes and directs the search, learns as much as possible about the computers to be searched, 
and writes the affidavit establishing probable cause. The technical specialist explains the technical 
limitations that govern the search to the case agent and prosecutor, creates the plan for executing the 
search, and in many cases takes the lead role in executing the search itself. Finally, the prosecutor 
reviews the affidavit and warrant and makes sure that the entire process complies with the Fourth 
Amendment and Rule 41 of the Federal Rules of Criminal Procedure. Of course, each member of the 
team should collaborate with the others to help ensure an effective search. 

There are many sources of technical expertise in the federal government. Most agencies that have 
law enforcement investigators also have technical specialists trained in computer forensics. For 
example, the FBI has Computer Analysis Response Team (CART) examiners, the Internal Revenue 
Service has Seized Computer Evidence Recovery (SCER) specialists, and the Secret Service has the 
Electronic Crime Special Agent Program (ESCAP). Investigating agents should contact the technical 
experts within their own agency. Eurther, some agencies offer case agents sufficient technical training 
that they may also be able to act as technical specialists. In such cases, the case agents normally do not 
need to consult with technical experts and can serve as technical specialists and case agents 
simultaneously. 

2) Learn as much as possible about the computer system that will be searched 
before devising a search strategy or drafting the warrant. 

After assembling the team, the case agent should begin acquiring as much information as possible 
about the computer system targeted by the search. It is difficult to overstate the importance of this step. 
Eor the most part, the need for detailed and accurate information about the targeted computer results 
from practical considerations. Until the agent has learned what kinds of computers and operating 
systems the target uses, it is impossible to know how the information the system contains can be 
retrieved, or even where the information may be located. Every computer and computer network is 
different, and subtle differences in hardware, software, operating systems, and system configuration can 
alter the search plan dramatically. Eor example, a particular search strategy may work well if a targeted 
network runs the Einux operating system, but might not work if the network runs Windows NT instead. 

These concerns are particularly important when searches involve complicated computer networks 
(as opposed to stand-alone PCs). Eor example, the mere fact that a business uses computers in its 
does not mean that the computers ’ terminals found there actually contain any useful information. 
Businesses may contract with network service providers that store the business’s information on remote 
network servers located miles (or even thousands of miles) away. As a result of these considerations, a 
technical specialist cannot advise the case agent on the practical aspects of different search strategies 
without knowing the nature of the computer system to be searched. Agents need to learn as much as 
possible about the targeted computer before drafting the warrant, including (if possible) the hardware, 
the software, the operating system, and the configuration of the network. 

Obtaining detailed and accurate information about the targeted computer also has important legal 
implications. Eor example, the incidental seizure of Eirst Amendment materials such as drafts of 
newsletters or web pages may implicate the Privacy Protection Act (“PPA”), 42 U.S.C. § 2000aa, and 
the incidental seizure and subsequent search through network accounts may raise issues under the 
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Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2701-11 ( see generally Parts B.2 and 
B.3, infra). To minimize liability under these statutes, agents should conduct a careful investigation into 
whether and where Eirst Amendment materials and network accounts may be stored on the computer 
system targeted by the search. At least one court has suggested that a failure to conduct such an 
investigation can help deprive the government of a good faith defense against liability under these 
statutes. See Steve .lackson Games. Inc, v. United States Secret Service . 816 E. Supp. 432 (W.D. Tex. 
1993), aff’d. 36 E.3d 457 (5th Cir. 1994). 

On a practical level, agents may take various approaches to learning about a targeted computer 
network. In some cases, agents can interview the system administrator of the targeted network 
(sometimes in an undercover capacity), and obtain all or most of the information the technical specialist 
needs to plan and execute the search. When this is impossible or dangerous, more piecemeal strategies 
may prove effective. Eor example, agents sometimes conduct on-site visits (often undercover) that at 
least reveal some elements of the hardware involved. A useful source of information for networks 
connected to the Internet is the Internet itself. Eor example, the “host” command in a UNIX 
environment often reveals the operating system, machines, and general layout of a targeted network 
connected to the Internet (although it may set off alarms at the target network). 

3) Formulate a strategy for conducting the search (including a backup plan) 
based on the known information about the targeted computer system. 

With a team in place and the targeted system researched, the next step is to formulate a strategy 
for conducting the search. Eor example, will the agents search through the targeted computer(s) on the 
premises, or will they simply enter the premises and remove all of the hardware? Will the agents make 
copies of individual files, or will they make exact copies of entire hard drives? What will the agents do 
if their original plan fails, or if the computer hardware or software turns out to be significantly different 
from what they expected? These decisions hinge on a series of practical and legal considerations. In 
most cases, the search team should decide on a preferred search strategy, and then plan a series of 
backup strategies if the preferred strategy proves impractical. 

The issues that must be considered when formulating a strategy to search and seize a computer are 
discussed in depth in Part B of this chapter. In general, however, the issues group into four questions: 
Eirst, what is the most effective search strategy that will comply with Rule 41 and the Eourth 
Amendment? Second, does the search strategy need to be modified to minimize the possibility of 
violating either the PPA or ECPA? Third, will the search require multiple warrants? And fourth, should 
agents ask for special permission to conduct a no-knock or sneak -and- peek search? 

4) Draft the warrant, taking special care to describe the object of the search and the 

property to be seized accurately and particularly, and explain the search strategy (as 

well as the practical and legal issues that helped shape it) in the supporting affidavit. 

The essential ingredients for drafting a successful search warrant are covered in Section C, and a 
practical guide to drafting warrants and affidavits appears in Appendix E. In general, however, the keys 
to drafting successful computer search warrants are first to describe carefully and particularly the object 
of the warrant that investigators have probable cause to seize, and second to explain adequately the 
search strategy in the supporting affidavit. On a practical level, these steps help focus and guide the 
investigators as they execute the search. As a legal matter, the first step helps to overcome particularity 
challenges, and the latter helps to thwart claims that the agents executed the search in “flagrant 
disregard” of the warrant. 
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B. Planning the Search 

1. Basic Strategies for Executing Computer Searches 

Computer searches may be executed in a variety of ways. For the most part, there are four possibilities: 

1) Search the computer and print out a hard copy of particular files at that time; 

2) Search the computer and make an electronic copy of particular files at that time; 

3) Create a mirror-image electronic copy of the entire storage device on-site, and then later 
recreate a working copy of the storage device off -site for review;- and 

4) Seize the equipment, remove it from the premises, and review its contents off- site. 

Which option is best for any particular search depends on many factors. The single most 
consideration is the role of the computer hardware in the offense. 

• Although every computer search is unique, search strategies often depend on the role of the 
hardware in the offense. If the hardware is itself evidence, an instrumentality, contraband, or a 
fruit of crime, agents will usually plan to seize the hardware and search its contents off- site. If 
the hardware is merely a storage device for evidence, agents generally will only seize the 
hardware if less disruptive alternatives are not feasible. 

In general, computer hardware can serve one of two roles in a criminal case. First, the computer 
hardware can be a storage device for evidence of crime. For example, if a suspect keeps evidence of his 
fraud schemes stored in his personal computer, the hardware itself is merely a container for evidence. 
The purpose of searching the suspect's computer will be to recover the evidence the computer hardware 
happens to contain. 

In other cases, however, computer hardware can itself be contraband, evidence, an instrumentality, 
or a fruit of crime. For example, a computer used to transmit child pornography is an instrumentality of 
crime, and stolen computers are contraband. In such cases. Federal Rule of Criminal Procedure 41 
grants agents the right to seize the computer itself, independently from the materials that the hardware 
happens to contain. See generally Appendix F (explaining the scope of materials that may be seized 
according to Rule 41). Because Rule 41 authorizes agents to seize hardware in the latter case but not the 
former, the search strategy for a particular computer search hinges first on the role of the hardware in the 
offense.- 



a) When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime 

Under Fed. R. Crim. P. 41(b), agents may obtain search warrants to seize computer hardware if the 
hardware is contraband, evidence, or an instrumentality or fruit of crime. See Rule 41(b); Appendix F. 
When the hardware itself may be seized according to Rule 41, agents will usually conduct the search by 
seizing the computer and searching it off- site. For example, a home personal computer used to store and 
transmit contraband images is itself an instrumentality of the crime. See Davis v. Gracey. Ill F.3d 
1472, 1480 (10th Cir. 1997) (computer used to store obscene images); United States v. Lamb. 945 F. 
Supp. 441, 462 (N.D.N.Y. 1996) (computer used to store child pornography). Accordingly, Rule 41 
permits agents to obtain a warrant authorizing the seizure of the computer hardware. In most cases, 
investigators will simply obtain a warrant to seize the computer, seize the hardware during the search, 
and then search through the defendant's computer for the contraband files back at the police station or 
computer forensics laboratory. In such cases, the agents should explain in the supporting affidavit that 
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they plan to search the computer for evidence and/or contraband after the computer has been seized and 
removed from the site of the search. 

Notably, exceptions exist when agents will not want to seize computer hardware even when the 
hardware is used as an instrumentality, evidence, contraband, or a fruit of crime. When the “computer” 
involved is not a stand-alone PC but rather part of a complicated network, the collateral damage and 
practical headaches that would arise from seizing the entire network generally counsels against a 
wholesale seizure. For example, if a system administrator of a computer network stores stolen 
proprietary information somewhere in the network, the network becomes an instrumentality of the 
system administrator's crime. Technically, agents could obtain a warrant to seize the entire network. 
However, carting off the entire network might cripple a functioning business and disrupt the lives of 
hundreds of people, as well as subject the government to civil suits under the Privacy Protection Act, 42 
U.S.C. § 2000aa and the Electronic Communications Privacy Act, 18 U.S.C. §§ 2701-11. See generally 
Steve .lackson Games. Inc, v. Secret Service . 816 F. Supp. 432, 440, 443 (W.D. Tex. 1993) (discussed 
infral . In such circumstances, agents will want to take a more nuanced approach to obtain the evidence 
they need. Agents faced with such a situation can call the Computer Crime and Intellectual Property 
Section at (202) 514-1026 or the Assistant U.S. Attorney designated as a Computer- 
Telecommunications Coordinator (CTC) in their district for more specific advice. 



b) When Hardware is Merely a Storage Device for Evidence of Crime 

The strategy for conducting a computer search is significantly different if the computer hardware is 
merely a storage device for evidence of a crime. In such cases. Rule 41(b) authorizes agents to obtain a 
warrant to seize the electronic evidence, but arguably does not authorize the agents to seize the hardware 
that happens to contain that evidence. Cf. United States v. Tamura. 694 F.2d 591, 595 (9th Cir. 1982) 
(noting that probable cause to seize specific paper files enumerated in warrant technically does permit 
the seizure of commingled innocent files). The hardware is merely a storage container for evidence, not 
evidence itself. This does not mean that the government cannot seize the equipment: rather, it means 
that the government generally should only seize the equipment if a less intrusive alternative that permits 
the effective recovery of the evidence is infeasible in the particular circumstances of the case. Cf. id. at 
596. 



As a practical matter, circumstances will often require investigators to seize equipment and search 
its contents off -site. First, it may take days or weeks to find the specific information described in the 
warrant because computer storage devices can contain extraordinary amounts of information. Agents 
cannot reasonably be expected to spend more than a few hours searching for materials on-site, and in 
some circumstances (such as executing a search at a suspect's home) even a few hours may be 
unreasonable. See United States v. Santarelli. 778 F.2d 609. 615-16 11 1th Cir. 1985). Given that 
personal computers sold in the year 2000 usually can store the equivalent of ten million pages of 
information and networks can store hundreds of times that (and these capacities double nearly every 
year), it may be practically impossible for agents to search quickly through a computer for specific data, 
a particular file, or a broad set of files while on-site. Even if the agents know specific information about 
the files they seek, the data may be mislabeled, encrypted, stored in hidden directories, or embedded in 
“slack space” that a simple file listing will ignore. Recovering the evidence may require painstaking 
analysis by an expert in the controlled environment of a forensics laboratory. 

Attempting to search files on-site may even risk damaging the evidence itself in some cases. 
Agents executing a search may learn on-site that the computer employs an uncommon operating system 
that the on-site technical specialist does not fully understand. Because an inartful attempt to conduct a 
search may destroy evidence, the best strategy may be to remove the hardware so that a government 
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expert in that particular operating system can examine the computer later. Off-site searches also may be 
necessary if agents have reason to believe that the computer has been “booby trapped” by a savvy 
criminal. Technically adept users may know how to trip-wire their computers with self-destruct 
programs that could erase vital evidence if the system were examined by anyone other than an expert. 
For example, a criminal could write a very short program that would cause the computer to demand a 
password periodically, and if the correct password is not entered within ten seconds, would trigger the 
automatic destruction of the computer's files. In these cases, it is best to seize the equipment and permit 
an off-site expert to disarm the program before any search occurs. 

In light of these uncertainties, agents often plan to try to search on-site, with the understanding that 
they will seize the equipment if circumstances discovered on-site make an on-site search infeasible. 

Once on-site to execute the search, the agents will assess the hardware, software, and resources available 
to determine whether an on-site search is possible. In many cases, the search strategy will depend on the 
sensitivity of the environment in which the search occurs. For example, agents seeking to obtain 
information stored on the computer network of a functioning business will in most circumstances want 
to make every effort to obtain the information without seizing the business’s computers, if possible. In 
such situations, a tiered search strategy designed to use the least intrusive approach that will recover the 
information is generally appropriate. Such approaches are discussed in Appendix F. Whatever search 
strategy is chosen, it should be explained fully in the affidavit supporting the warrant application. 

Sometimes, conducting a search on-site will be possible. A friendly employee or system 
administrator may agree to pinpoint a file or record or may have a recent backup, permitting the agents 
to obtain a hard copy of the files they seek while on-site. See, e.g.. United States v. Longo. 70 F. 
Supp.2d 225 (W.D.N.Y. 1999) (upholding pinpoint search aided by suspect’s secretary for two 
particular computer files). Alternatively, agents may be able to locate the set of files targeted and make 
electronic copies, or may be able to mirror a segment of the storage drive based on knowledge that the 
information exists somewhere within that segment of the drive. In other cases, of course, such strategies 
will fail. If the agents cannot learn where the information is stored or cannot create a working mirror 
image for technical reasons, they may have no choice but to seize the computer and remove it. Because 
personal computers are easily moved and can be searched effectively off -site using special forensics 
tools, agents are particularly likely to seize personal computers absent unusual circumstances. 

The general strategy is to pursue the quickest, least intrusive, and most direct search strategy that is 
consistent with securing the evidence described in the warrant. This strategy will permit agents to 
search on-site in some cases, and will permit them to seize the computers for off-site review in others. 
Flexibility is the key. 



2. The Privacy Protection Act 

• When agents have reason to believe that a search may result in a seizure of materials relating to 
First Amendment activities such as publishing or posting materials on the World Wide Web, they 
must consider the effect of the Privacy Protection Act ( “PPA ”), 42 U.S.C. § 2000aa. Every 
federal computer search that implicates the PPA must be approved by the Deputy Assistant 
Attorney General of the Criminal Division, coordinated through CCIPS at (202) 514-1026. 

Under the Privacy Protection Act (“PPA”), 42 U.S.C. § 2000aa, law enforcement must take special 
steps when planning a search that agents have reason to believe may result in the seizure of certain First 
Amendment materials. Federal law enforcement searches that implicate the PPA must be pre-approved 
by the Justice Department in Washington, D.C. The Computer Crime and Intellectual Property Section 
serves as the contact point for all such searches involving computers, and should be contacted directly at 
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(202)514-1026. 

a) A Brief History of the Privacy Protection Act 

Before the Supreme Court decided Warden v. Hayden. 387 U.S. 294, 309 (1967), law enforcement 
officers could not obtain search warrants to search for and seize “mere evidence” of crime. Warrants 
were permitted only to seize contraband, instrumentalities, or fruits of crime. See Boyd v. United States. 
1 16 U.S. 616 (1886). In Hayden, the Court reversed course and held that the Fourth Amendment 
permitted the government to obtain search warrants to seize mere evidence. This ruling set the stage for 
a collision between law enforcement and the press. Because journalists and reporters often collect 
evidence of criminal activity in the course of developing news stories, they frequently possess “mere 
evidence” of crime that may prove useful to law enforcement investigations. By freeing the Fourth 
Amendment from Boyd 's restrictive regime, Hayden created the possibility that law enforcement could 
use search warrants to target the press for evidence of crime it had collected in the course of 
investigating and reporting news stories. 

It did not take long for such a search to occur. On April 12, 1971, the District Attorney's Office in 
Santa Clara County, California obtained a search warrant to search the offices of The Stanford Daily, a 
Stanford University student newspaper. The DA's office was investigating a violent clash between the 
police and demonstrators that had occurred at the Stanford University Hospital three days earlier. The 
Stanford Daily had covered the incident, and published a special edition featuring photographs of the 
clash. Believing that the newspaper probably had more photographs of the clash that could help the 
police identify the demonstrators, the police obtained a warrant and sent four police officers to search 
the newspaper's office for further evidence that could assist the investigation. The officers found 
nothing. A month later, however, the Stanford Daily and its editors brought a civil suit against the 
police claiming that the search had violated their First and Fourth Amendment rights. The case 
ultimately reached the Supreme Court, and in Zurcher v. Stanford Daily. 436 U.S. 547 (1978), the Court 
rejected the newspaper’s claims. Although the Court noted that “the Fourth Amendment does not 
prevent or advise against legislative or executive efforts to establish nonconstitutional protections” for 
searches of the press, it held that neither the Fourth nor First Amendment prohibited such searches. Id. 
at 567. 

Congress passed the PPA in 1980 in response to Stanford Daily . According to the Senate Report, 
the PPA protected “the press and certain other persons not suspected of committing a crime with 
protections not provided currently by the Fourth Amendment.” S. Rep. No. 96-874, at 4 (1980). The 
statute was intended to grant publishers certain statutory rights to discourage law enforcement officers 
from targeting publishers simply because they often gathered “mere evidence” of crime. As the 
legislative history indicates, 

the purpose of this statute is to limit searches for materials held by persons involved in First 
Amendment activities who are themselves not suspected of participation in the criminal 
activity for which the materials are sought, and not to limit the ability of law enforcement 
officers to search for and seize materials held by those suspected of committing the crime 
under investigation. 

Id. at 11. 

b) The Terms of the Privacy Protection Act 

Subject to certain exceptions, the PPA makes it unlawful for a government officer “to search for 
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or seize” materials when 



(a) the materials are “work product materials” prepared, produced, authored, or created “in 
anticipation of communicating such materials to the public,” 42 U.S.C. § 2000aa-7(b)(l); 

(b) the materials include “mental impressions, conclusions, or theories” of its creator, 42 
U.S.C. § 2000aa-7(b)(3); and 

(c) the materials are possessed for the purpose of communicating the material to the public 
by a person “reasonably believed to have a purpose to disseminate to the public” some form 
of “public communication,” 42 U.S.C. § 2000aa-7(b)(3), § 2000aa(a). 

or 

(a) the materials are “documentary materials” that contain “information,” 

§ 2000aa-7(a); and 

(b) the materials are possessed by a person “in connection with a purpose to disseminate to 
the public” some form of “public communication.” 42 U.S.C. § 2000aa(b), § 2000aa-7(a). 



Although the language of the PPA is broad, the statute contains several exceptions. Searches will 
not violate the PPA when 



1) the only materials searched for or seized are contraband, instrumentalities, or fruits of 
crime, see § 2000aa-7(a),(b); 

2) there is reason to believe that the immediate seizure of such materials is necessary to 
prevent death or serious bodily injury, see § 2000aa(a)(2), § 2000aa(b); 

3) there is probable cause to believe that the person possessing such materials has 
committed or is committing the criminal offense to which the materials relate (an exception 
which is itself subject to several exceptions), ^ § 2000aa(a)(l), § 2000aa(b)(l); and 

4) in a search for or seizure of “documentary materials” as defined by § 2000aa-7(a), a 
subpoena has proven inadequate or there is reason to believe that a subpoena would not 
result in the production of the materials, see § 2000aa(b)(3)-(4). 

Violations of the PPA do not result in suppression of the evidence, but can result in civil damages 
against the sovereign whose officers or employees execute the search. See § 2000aa-6(a),(d),(e); Davis 
V. Gracey . Ill F.3d 1472, 1482 (10th Cir. 1997) (dismissing PPA suit against municipal officers in their 
personal capacities because such suits must be filed only against the “government entity”). If State 
officers or employees violate the PPA and the state does not waive its sovereign immunity and is thus 
immune from suit, see Barnes v. State of Missouri. 960 F.2d 63, 65 (8th Cir. 1992), individual State 
officers or employees may be held liable for acts within the scope or under the color of their 
employment subject to a reasonable good faith defense. See § 2000aa-6(a)(2),(b). 

c) Application of the PPA to Computer Searches and Seizures 
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PPA issues frequently arise in computer cases for two reasons that Congress could not have 
foreseen in 1980. First, the use of personal computers for publishing and the World Wide Web has 
dramatically expanded the scope of who is “involved in First Amendment activities.” Today, anyone 
with a computer and access to the Internet may be a publisher who possesses PPA-protected materials 
on his or her computer. 

The second reason that PPA issues arise frequently in computer cases is that the language of the 
statute does not explicitly rule out liability following incidental seizures of PPA-protected materials, and 
such seizures may inevitably result when agents search for and seize computer -stored contraband or 
evidence of crime that is commingled with PPA-protected materials. For example, investigations into 
illegal businesses that publish images of child pornography over the Internet have revealed that such 
businesses frequently support other publishing materials (such as drafts of adult pornography) that may 
be PPA-protected. Agents may find that the PPA interferes with their ability to seize the contraband 
child pornography because the contraband may be commingled with PPA-protected materials on the 
business's computers. Seizing the computer for the contraband would necessarily result in the seizure of 
the PPA-protected materials. Under this interpretation of the PPA, the statute does not merely deter law 
enforcement from targeting innocent publishers for their evidence, but also affirmatively protects 
individuals from the incidental seizure of property that may be used in part for First Amendment 
activities. 

As a formal matter, the legislative history and text of the PPA indicate that Congress probably 
intended the PPA to apply only when law enforcement intentionally targeted First Amendment material 
that related to a crime, as in Stanford Daily . For example, the so-called “suspect exception” eliminates 
PPA liability when “there is probable cause to believe that the person possessing such materials has 
committed or is committing the criminal offense to which the materials relate f 42 U.S.C. § 2000aa(a) 
(1), § 2000aa(b)(l) (emphasis added). This text indicates that Congress believed that PPA-protected 
materials would necessarily relate to a criminal offense, as when investigators target the materials as 
evidence. 

When agents collaterally seize PPA-protected materials because they are commingled on a 
computer with other materials properly targeted by law enforcement, however, the PPA-protected 
materials will not necessarily relate to any crime at all. For example, the PPA-protected materials might 
be drafts of a horticulture newsletter that just happen to sit on the same hard drive as images of child 
pornography or records of a fraud scheme. At least one court has responded to this difficulty by reading 
the phrase “to which the materials relate” quite broadly when an inadvertent seizure of commingled 
matter occurs. See United States v. Hunter. 13 F. Supp.2d 574, 582 (D. Vt. 1998) (concluding that 
materials for weekly legal newsletter published by the defendant from his law office “relate” to the 
defendant's alleged involvement in his client's drug crimes when the former was inadvertently seized in 
a search for evidence of the latter). This reading effectively restores the suspect exception to its 
intended purpose: limiting the scope of PPA protection to “the press and certain other persons not 
suspected of committing a crime.” S. Rep. No. 96-874, at 4 (1980). See also Carpa v. Smith. 208 F.3d 
220, 2000 WL 189678, at *1 (9th Cir. 2000) (unpublished opinion) (“[T]he Privacy Protection Act . . . 
does not apply to criminal suspects.”). 

Although Congress probably intended the PPA to apply only when law enforcement intentionally 
targets PPA-protected materials in search of evidence, at least one court has held law enforcement liable 
under the PPA for the incidental seizure of (and more particularly, failure to return) PPA -protected 
materials stored on a seized computer. In Steve .lackson Games. Inc, v. Secret Service . 816 F. Supp. 432 

(W.D. Tex. 1993), aff’d on other grounds. 36 F.3d 457 (5th Cir. 1994)-, a district court held the United 
States Secret Service liable for the inadvertent seizure of PPA-protected materials possessed by Steve 
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Jackson Games, Inc. (“SJG”). Although SJG was primarily a publisher of role-playing games, it also 
operated a network of thirteen computers that provided its customers with e-mail, published information 
about SJG products, and stored drafts of upcoming publications. The Secret Service executed a search 
of SJG's computers on March 1, 1990, after learning that a system administrator of SJG's computers had 
been linked to a computer hacking incident under Secret Service investigation. Believing that the 
system administrator had stored evidence of the crime on SJG's computers, the Secret Service obtained a 
warrant and seized two of the thirteen computers connected to SJG's network, in addition to other 
materials. The Secret Service did not know that SJG's computers contained publishing materials until 
the day after the search, on March 2, 1990. However, the Secret Service did not return the computers it 
seized until months later. At no time did the Secret Service believe that SJG itself was involved in the 
crime under investigation. 

The district court in Steve Jackson Games ruled that the Secret Service violated the PPA by 
continuing to hold SJG's seized property after it learned that the property included materials that SJG 
intended to disseminate to the public, including drafts of a book and magazine articles. Although the 
Secret Service had executed the search to find evidence of computer hacking, the incidental seizure and 
then retention of PPA-protected material constituted a prohibited seizure of “work product materials” 
and “documentary materials” according to 42 U.S.C. § 2000aa. See id. at 440-41. The court set the 
damage award at just over $50,000, plus attorney’s fees to be determined later. 

Unfortunately, the district court’s precise reasoning in Steve Jackson Games is difficult to discern. 
For example, the court did not explain exactly which of the materials the Secret Service seized were 
covered by the PPA; instead, the court merely recited the property that had been seized, and concluded 
that some PPA-protected materials “were obtained” during the search. Id. at 440. Similarly, the court 
indicated that the search of SJG and the initial seizure of its property did not violate the PPA, but that 
the Secret Service’s continued retention of SJG’s property despite a request by SJG for its return was the 
true source of the PPA violation - something that the statute itself does not appear to contemplate. See 
iri at 441. The court also suggested that it might have ruled differently if the Secret Service had made 
“copies of all information seized” and returned the hardware as soon as possible, but did not answer 
whether in fact it would have reached a different result in such case. Id^ Finally, the court set damages 
equal to the company's lost profits resulting from the search, seizure, and retention of SJG’s property, 
quite irrespective of how much of the company’s lost profits were derived specifically from the seizure 
and retention of the PPA-protected materials. See id. 

The boundaries of the PPA remain quite uncertain in the wake of Steve Jackson Games . See, e.g.. 
State of Oklahoma v. One til Pioneer CD-ROM Changer . 891 P.2d 600, 607 (Okla. App. 1995) 
(rejecting the apparent premise of Steve Jackson Games that the seizure of computer equipment could 
violate the PPA merely because the equipment “also contained or was used to disseminate potential 
'documentary materials'”). The handful of federal courts that have resolved civil suits filed under the 
PPA since the district court opinion in Steve Jackson Games have ruled against the plaintiffs with little 
substantive analysis. See, e.g.. Davis v. Gracey. Ill F.3d 1472, 1482 (10th Cir. 1997) (dismissing for 
lack of jurisdiction PPA suit improperly filed against municipal employees in their personal capacities); 
United States v. Hunter . 13 F. Supp.2d 574, 582 (D. Vt. 1998) (rejecting PPA claim when search of 
attorney's office for evidence of a crime arising from law practice led to seizure of materials relating to 
legal newsletter “because the government had reason to believe that [the defendant] had committed a 
criminal offense ... to which the seized materials related”); DePugh v. Sutton. 917 F. Supp. 690, 696-97 
(W.D. Mo. 1996) (rejecting pro se PPA challenge to seizure of materials relating to child pornography 
because there was probable cause to believe that the person possessing the materials committed the 
criminal offense to which the materials related), affd. 104 F.3d 363 (8th Cir. 1996); Powell v. Tordoff . 
91 1 F. Supp. 1184, 1189-90 (N.D. Iowa 1995) (dismissing PPA claim because plaintiff did not have 
standing to challenge search and seizure under the Fourth Amendment). See also Lambert v. Polk 
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County . 723 F. Supp. 128, 132 (S.D. Iowa 1989) (rejecting PPA claim after police seized videotape 
because officers could not reasonably believe that the owner of the tape had a purpose to disseminate the 
material to the public). 

Agents and prosecutors who have reason to believe that a search may implicate the PPA should 
contact the Computer Crime and Intellectual Property Section at (202) 5 14- 1026 or the Assistant U.S. 
Attorney designated as a Computer-Telecommunications Coordinator (CTC) in each district for more 
specific guidance. 



3. Civil Liability Under the Electronic Communications Privacy Act 

• When a search may result in the incidental seizure of network accounts belonging to innocent 
third parties, agents should take every step to protect the integrity of the third party accounts to 
avoid potential ECPA liability. 

When law enforcement executes a search of an Internet service provider and seizes the accounts of 
customers and subscribers, those customers and subscribers may bring civil actions claiming that the 
search violated the Electronic Communications Privacy Act (ECPA). ECPA governs law enforcement 
access to the contents of electronic communications stored by third-party service providers. See 18 
U.S.C. § 2703; Chapter 3, infra (discussing the Electronic Communications Privacy Act). In addition, 
ECPA has a criminal provision that prohibits unauthorized access to electronic or wire communications 
in “electronic storage.” See 18 U.S.C. § 2701; Chapter 3, infra (discussing the definition of “electronic 
storage”). 

The concern that a search executed pursuant to a valid warrant might violate ECPA derives from 
Steve .lackson Games. Inc, v. Secret Service. 816 E. Supp. 432 (W.D. Tex. 1993), discussed supra. In 
Steve .lackson Games, the district court held the Secret Service liable under ECPA after it seized, 
reviewed, and (in some cases) deleted stored electronic communications seized pursuant to a valid 
search warrant. See id. at 443. The court's holding appears to be rooted in the mistaken belief that 
ECPA requires that search warrants also comply with 18 U.S.C. § 2703(d) and the various notice 
requirements of § 2703. See id. In fact, ECPA makes quite clear that § 2703(d) and the notice 
requirements § 2703 are implicated only when law enforcement does not obtain a search warrant. 
Compare 18 U.S.C. § 2703(b)(1)(A), § 2703(c)(l)(B)(i) mth 18 U.S.C. § 2703(b)(1)(B), § 2703(c)(1) 
(B)(ii). See generally Chapter 3, infra. Indeed, the text of ECPA does not appear to contemplate civil 
liability for searches and seizures authorized by valid Rule 41 search warrants: ECPA expressly 
authorizes government access to stored communications pursuant to a warrant issued under the Eederal 
Rules of Criminal Procedure, see 18 U.S.C. § 2703(a), (b), (c)(1)(B); Davis v. Gracey. Ill E.3d 1472, 
1483 (10th Cir. 1997), and the criminal prohibition of § 2701 does not apply when access is authorized 
under § 2703. See 18 U.S.C. § 2701(c)(3)-. Eurther, objectively reasonable good faith reliance on a 
warrant, court order, or statutory authorization is a complete defense to an ECPA violation. See 18 
U.S.C. § 2707(e); Gracey, 111 E.3d at 1484 (applying good faith defense because seizure of stored 
communications incidental to a valid search was objectively reasonable). Compare Steve .lackson 
Games. 816 E. Supp. at 443 (stating without explanation that the court “declines to find this defense”). 

The best way to square the result in Steve .lackson Games with the plain language of ECPA is to 
exercise great caution when agents need to execute searches of Internet service providers and other 
third-parties holding stored wire or electronic communications. In most cases, investigators will want to 
avoid a wholesale search and seizure of the provider’s computers. When investigators have no choice 
but to execute the search, they must take special care. Eor example, if agents have reason to believe that 
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they may seize customer accounts belonging to innocent persons but have no reason to believe that the 
evidence sought will be stored there, they should inform the magistrate judge in the search warrant 
affidavit that they will not search those accounts and should take steps to ensure the confidentiality of 
the accounts in light of the privacy concerns expressed by 18 U.S.C. § 2703. Safeguarding the accounts 
of innocent persons absent specific reasons to believe that evidence may be stored in the persons' 
accounts should satisfy the concerns expressed in Steve .lackson Games . CompareSteve .lackson 
Games . 816 F. Supp. at 441 (finding ECPA liability where agents read the private communications of 
customers not involved in the crime “and thereafter deleted or destroyed some communications either 
intentionally or accidentally”) with Gracey. Ill F.3d at 1483 (declining to find ECPA liability in seizure 
where “[pjlaintiffs have not alleged that the officers attempted to access or read the seized e-mail, and 
the officers disclaimed any interest in doing so”). 

If agents believe that a hacker or system administrator might have hidden evidence of a crime in 
the account of an innocent customer or subscriber, agents should proceed carefully. Eor example, agents 
should inform the magistrate judge of their need to search the account in the affidavit, and should 
attempt to obtain the consent of the customer or subscriber if feasible. In such cases, agents should 
contact the Computer Crime and Intellectual Property Section at (202) 514- 1026 or the CTC designated 
in their district for more specific guidance. 



4. Considering the Need for Multiple Warrants in Network Searches 

• Agents should obtain multiple warrants if they have reason to believe that a network search will 

retrieve data stored in multiple locations. 

Eed. R. Crim. P. 41(a) states that a magistrate judge located in one judicial district may issue a 
search warrant for “a search of property . . . within the district,” or “a search of property . . . outside the 
district if the property ... is within the district when the warrant is sought but might move outside the 
district before the warrant is executed.” The Supreme Court has held that “property” as described in 
Rule 41 includes intangible property such as computer data. See United States v. New York Tel. Co.. 
434 U.S. 159, 170 (1977). Although the courts have not directly addressed the matter, the language of 
Rule 41 combined with the Supreme Court’s interpretation of “property” may limit searches of computer 
data to data that resides in the district in which the warrant was issued. CE United States v. Walters . 558 
E. Supp. 726, 730 (D. Md. 1980) (suggesting such a limit in a case involving telephone records). 

A territorial limit on searches of computer data poses problems for law enforcement because 
computer data stored in a computer network can be located anywhere in the world. Eor example, agents 
searching an office in Manhattan pursuant to a warrant from the Southern District of New York may sit 
down at a terminal and access information stored remotely on a computer located in New Jersey, 
California, or even a foreign country. A single file described by the warrant could be located anywhere 
on the planet, or could be divided up into several locations in different districts or countries. Even 
worse, it may be impossible for agents to know when they execute their search whether the data they are 
seizing has been stored within the district or outside of the district. Agents may in some cases be able to 
learn where the data is located before the search, but in others they will be unable to know the storage 
site of the data until after the search has been completed. 

When agents can learn prior to the search that some or all of the data described by the warrant is 
stored remotely from where the agents will execute the search, the best course of action depends upon 
where the remotely stored data is located. When the data is stored remotely in two or more different 
places within the United States and its territories, agents should obtain additional warrants for each 
location where the data resides to ensure compliance with a strict reading of Rule 41(a). Eor example, if 
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the data is stored in two different districts, agents should obtain separate warrants from the two districts. 
Agents should also include a thorough explanation of the location of the data and the proposed means of 
conducting the search in the affidavits accompanying the warrants. 

When agents learn before a search that some or all of the data is stored remotely outside of the 
United States, matters become more complicated. The United States may be required to take actions 
ranging from informal notice to a formal request for assistance to the country concerned. Further, some 
countries may object to attempts by U.S. law enforcement to access computers located within their 
borders. Although the search may seem domestic to a U.S. law enforcement officer executing the search 
in the United States pursuant to a valid warrant, other countries may view matters differently. Agents 
and prosecutors should contact the Office of International Affairs at (202) 5 14-0000 for assistance with 
these difficult questions. 

When agents do not and even cannot know that data searched from one district is actually located 
outside the district, evidence seized remotely from another district ordinarily should not lead to 
suppression of the evidence obtained. The reasons for this are twofold. First, courts may conclude that 
agents sitting in one district who search a computer in that district and unintentionally cause intangible 
information to be sent from a second district into the first have complied with Rule 41(a). Compare 
United States v. Ramirez . 112 F.3d 849, 852 (7th Cir. 1997) (Posner, C.J.) (adopting a permissive 
construction of the territoriality provisions of Title III); United States v. Denman. 100 F.3d 399, 402 
(5th Cir. 1996) (same); United States v. Rodriguez. 968 F.2d 130 (2d Cir. 1992) (same). 

Second, even if courts conclude that the search violates Rule 41(a), the violation will not lead to 
suppression of the evidence unless the agents intentionally and deliberately disregarded the Rule, or the 
violation leads to “prejudice” in the sense that the search might not have occurred or would not have 
been so “abrasive” if the Rule had been followed. See United States v. Burke. 517 F.2d 377, 386 (2d 
Cir. 1975) (Friendly, .1.1: United States v. Martinez -Zayas. 857 F.2d 122, 136 (3d Cir. 1988) (citing 
cases). Under the widely- adopted Burke test, courts generally deny motions to suppress when agents 
executing the search cannot know whether it violates Rule 41 either legally or factually. See Martinez- 
Zayas . 857 F.2d at 136 (concluding that a search passed the Burke test “[gjiven the uncertain state of the 
law” concerning whether the conduct violated Rule 41(a)). Accordingly, evidence acquired from a 
network search that accessed data stored in multiple districts should not lead to suppression unless the 
agents intentionally and deliberately disregarded Rule 41(a) or prejudice resulted. See generally United 
States V. Trost . 152 F.3d 715, 722 (7th Cir. 1998) (“[I]t is difficult to anticipate any violation of Rule 41, 
short of a defect that also offends the Warrant Clause of the fourth amendment, that would call for 
suppression.”). 



5. No -Knock Warrants 

As a general matter, agents must announce their presence and authority prior to executing a search 
warrant. See Wilson v. Arkansas . 514 U.S. 927, 934 (1995); 18 U.S.C. § 3109. This so-called “knock 
and announce” rule reduces the risk of violence and destruction of property when agents execute a 
search. The rule is not absolute, however. In Richards v. Wisconsin, 520 U.S. 385 (1997), the Supreme 
Court held that agents can dispense with the knock- and- announce requirement if they have 

a reasonable suspicion that knocking and announcing their presence, under the particular 
circumstances, would be dangerous or futile, or that it would inhibit the effective 
investigation of the crime by, for example, allowing the destruction of evidence. 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 




CCIPSfinal 



Page 45 of 139 



Id. at 394. The Court stated that this showing was “not high, but the police should be required to make 
it whenever the reasonableness of a no-knock entry is challenged.” Id^ at 394-95. Such a showing 
satisfies both the Fourth Amendment and the statutory knock-and-announce rule of 18 U.S.C. § 3109. 
See United States v. Ramirez . 118 S. Ct. 992, 997-98 (1998). 

Agents may need to conduct no-knock searches in computer crime cases because technically adept 
suspects may “hot wire” their computers in an effort to destroy evidence. For example, technically 
adept computer hackers have been known to use “hot keys,” computer programs that destroy evidence 
when a special button is pressed. If agents knock at the door to announce their search, the suspect can 
simply press the button and activate the program to destroy the evidence. 

When agents have reason to believe that knocking and announcing their presence would allow the 
destruction of evidence, would be dangerous, or would be futile, agents should request that the 
magistrate judge issue a no-knock warrant. The failure to obtain judicial authorization to dispense with 
the knock-and-announce rule does not preclude the agents from conducting a no-knock search, 
however. In some cases, agents may neglect to request a no-knock warrant, or may not have reasonable 
suspicion that evidence will be destroyed until they execute the search. In Richards . the Supreme Court 
made clear that “the reasonableness of the officers' decision [to dispense with the knock-and-announce 
rule] . . . must be evaluated as of the time they entered” the area to be searched. Richards. 510 U.S. at 
395. Accordingly, agents may “exercise independent judgment” and decide to conduct a no-knock 
search when they execute the search, even if they did not request such authority or the magistrate judge 
specifically refused to authorize a no-knock search. Id at 396 n.7. The question in all such cases is 
whether the agents had “a reasonable suspicion that knocking and announcing their presence, under the 
particular circumstances, would be dangerous or futile, or that it would inhibit the effective investigation 
of the crime by, for example, allowing the destruction of evidence.” Id. at 394. 



6. Sneak -and -Peek Warrants 

Despite Rule 41(d), courts have authorized “sneak- and-peek” warrants in a few narrow situations. 
Sometimes called “surreptitious search warrants,” sneak-and-peek warrants are warrants that excuse 
agents from having to notify the person whose premises are searched that the search has occurred at the 
time of the search. See Paul V. Konovalov, Note, On a Quest for Reason: A New Look at Surreptitious 
Search Warrants, 48 Hastings L.J. 435, 443 119971: United States v. Freitas. 800 F.2d 1451, 1452 (9th 
Cir. 1986) (discussing magistrate judge's creation of a sneak and peek warrant by “cross[ing] off . . . the 
requirement [on the warrant form] that copies of the warrant and an inventory of the property taken were 
to be left at the residence”). Because notice furthers important constitutional values, it is important that 
agents who wish to obtain sneak-and-peek warrants should do so sparingly, and only in special 
circumstances. However, sneak-and-peek searches may prove useful in searches for intangible 
computer data. For example, agents executing a sneak-and-peek warrant to search a computer may be 
able to enter a business after hours, search the computer, and then exit the business without leaving any 
sign that the search occurred. 

The circuits that have considered the legality of sneak-and-peek warrants have struggled to 
reconcile them with Rule 41(d) and the Fourth Amendment. The Second and Ninth Circuits each set 
forth two requirements that must be met in the absence of explicit statutory authority before a sneak- 
and-peek warrant may be authorized. First, the officers must make a showing of “reasonable necessity” 
as to why the officers should be able to delay notice of the search. United States v. Villegas. 899 F.2d 
1324, 1337 (2d Cir. 1990). See also Freitas. 800 F.2d at 1456. Second, the warrant must require notice 
to the target of the search within seven days of the surreptitious search unless a “strong showing of 
necessity” for further delay has been made. Freitas. 800 F.2d at 1456; See also Villegas. 899 F.2d at 
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1337. Although other circuits may take a less restrictive approach, see United States v. Simons. 206 
F.3d 392, 403 (4th Cir. 2000) (concluding that a 45-day delay in notice was permissible under the 
Fourth Amendment), these two requirements provide a useful standard that agents should follow when 
they seek judicial authorization to conduct a sneak-and-peek search. 

If these two requirements are met, a court will permit evidence obtained in violation of Rule 41 to 
be used in court so long as 1) the covert nature of the search did not prejudice the target, in the sense that 
the search might not have occurred if notice had been given, and 2) the agents did not intentionally and 
deliberately disregard Rule 41 in executing the search. See Simons. 206 F.3d at 403; United States v. 
Pangbum . 983 F.2d 449, 455 (2d Cir. 1993); United States v. .lohns . 948 F.2d 599, 603 (9th Cir. 1991). 
Agents executing a sneak-and-peek search will not be deemed to have intentionally and deliberately 
disregarded Rule 41 if the warrant authorized the sneak-and-peek search, or the executing agents 
believed that the warrant authorized such a search. See United States v. Simons . 107 F. Supp.2d 703, 

705 (E.D. Va. 2000) (concluding that agents who mistakenly believed that a warrant authorized a 
sneak-and-peek warrant were “at most, negligent,” and that the resulting search was therefore not 
executed with intentional disregard of Rule 41). Finally, a showing of good faith reliance on a sneak- 
and-peek warrant will defeat a suppression motion. See .lohns. 948 F.2d at 605; Freitas . 800 F.2d at 
1456. See generally United States v. Leon. 468 U.S. 897 (1984). 



7. Privileged Documents 

Agents must exercise special care when planning a computer search that may result in the seizure 
of legally privileged documents such as medical records or attorney- client communications. Two issues 
must be considered. First, agents should make sure that the search will not violate the Attorney 
General's regulations relating to obtaining confidential information from disinterested third parties. 
Second, agents should devise a strategy for reviewing the seized computer files following the search so 
that no breach of a privilege occurs. 

a) The Attorney General's Regulations Relating to Searches of Disinterested Lawyers, Physicians, 
and Clergymen 

Agents should be very careful if they plan to search the office of a doctor, lawyer, or member of 
the clergy who is not implicated in the crime under investigation. At Congress's direction, the Attorney 
General has issued guidelines for federal officers who want to obtain documentary materials from such 
disinterested third parties. See 42 U.S.C. § 2000aa- 1 1(a); 28 C.F.R. § 59.4(b). Under these rules, 
federal law enforcement officers should not use a search warrant to obtain documentary materials 
believed to be in the private possession of a disinterested third party physician, lawyer, or clergyman 
where the material sought or likely to be reviewed during the execution of the warrant contains 
confidential information on patients, clients, or parishioners. 28 C.F.R. § 59.4(b). The regulation does 
contain a narrow exception. A search warrant can be used if using less intrusive means would 
substantially jeopardize the availability or usefulness of the materials sought; access to the documentary 
materials appears to be of substantial importance to the investigation; and the application for the warrant 
has been recommended by the U.S. Attorney and approved by the appropriate Deputy Assistant 
Attorney General. See 28 C.F.R. § 59.4(b)(1) and (2). 

When planning to search the offices of a lawyer under investigation, agents should follow the 
guidelines offered in the United States Attorney's Manual, and should consult the Office of Enforcement 
Operations at (202) 514-3684. See generally United States Attorney's Manual, § 9-13.420 (1997). 
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b) Strategies for Reviewing Privileged Computer Files 

• Agents contemplating a search that may result in the seizure of legally privileged computer files 

should devise a post-seizure strategy for screening out the privileged files and should describe 

that strategy in the affidavit. 

When agents seize a computer that contains legally privileged files, a trustworthy third party must 
comb through the files to separate those files within the scope of the warrant from files that contain 
privileged material. After reviewing the files, the third party will offer those files within the scope of the 
warrant to the prosecution team. Preferred practices for determining who will comb through the files 
vary widely among different courts. In general, however, there are three options. First, the court itself 
may review the files in camera . Second, the presiding judge may appoint a neutral third party known as 
a “special master” to the task of reviewing the files. Third, a team of prosecutors who are not working 
on the case may form a “taint team” or “privilege team” to help execute the search and review the files 
afterwards. The taint team sets up a so-called “Chinese Wall” between the evidence and the prosecution 
team, permitting only unprivileged files that are within the scope of the warrant to slip through the wall. 

Because a single computer can store millions of files, judges will undertake in camera review of 
computer files only rarely. See Black v. United States. 172 F.R.D. 511, 516-17 (S.D. Fla. 1997) 
(accepting in camera review given unusual circumstances); United States v. Skeddle. 989 F. Supp. 890, 
893 (N.D. Ohio 1997) (declining in camera review). Instead, the typical choice is between using a taint 
team and a special master. Most prosecutors will prefer to use a taint team if the court consents. A taint 
team can usually screen through the seized computer files fairly quickly, whereas special masters often 
take several years to complete their review. See Black. 172 F.R.D. at 5 14 n.4. On the other hand, some 
courts have expressed discomfort with taint teams. See United States v. Neill. 952 F. Supp. 834, 841 
(D.D.C. 1997); United States v. Hunter. 13 F. Supp.2d 574, 583 n.2 (D. Vt. 1998) (stating that review by 
a magistrate judge or special master “may be preferable” to reliance on a taint team) (citing In re Search 
Warrant, 153 F.R.D. 55, 59 (S.D.N.Y. 1994)). Although no single standard has emerged, these courts 
have generally indicated that evidence screened by a taint team will be admissible only if the 
government shows that its procedures adequately protected the defendants' rights and no prejudice 
occurred. See , e.g. . Neill . 952 F. Supp. at 840-42; Hunter. 13 F. Supp. 2d at 583. In unusual 
circumstances, the court may conclude that a taint team would be inadequate and may appoint a special 
master to review the files. See , e.g. . United States v. Abbell . 914 F. Supp. 519 (S.D. Fla. 1995); 
DeMassa v. Nunez . 747 F.2d 1283 (9th Cir. 1984). In any event, the reviewing authority will almost 
certainly need a skilled and neutral technical expert to assist in sorting, identifying, and analyzing digital 
evidence for the reviewing process. 



C. Drafting the Warrant and Affidavit 

Law enforcement officers must draft two documents to obtain a search warrant from a magistrate 
judge. The first document is the affidavit, a sworn statement that (at a minimum) explains the basis for 
the affiant's belief that the search is justified by probable cause. The second document is the proposed 
warrant itself. The proposed warrant typically is a one-page form, plus attachments incorporated by 
reference, that describes the place to be searched, and the persons or things to be seized. If the 
magistrate judge agrees that the affidavit establishes probable cause, and that the proposed warrant's 
descriptions of the place to be searched and things to be seized are adequately particular, the magistrate 
judge will sign the warrant. Under the Federal Rules of Criminal Procedure, officers must execute the 
warrant within ten days after the warrant has been signed. See Fed. R. Crim. P. 41(b). 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 




CCIPSfinal 



Page 48 of 139 



Step 1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or 
Attachments to the Warrant 

a. General 

Agents must take special care when describing the computer files or hardware to be seized, either 
in the warrant itself or (more likely) in an attachment to the warrant incorporated into the warrant by 
reference. The Fourth Amendment requires that every warrant must “particularly describ[e] . . . the . . . 
things to be seized.” U.S. Const. Amend. IV. The particularity requirement prevents law enforcement 
from executing “general warrants” that permit “exploratory rummaging” through a person's belongings 
in search of evidence of a crime. Coolidge v. New Hampshire . 403 U.S. 443, 467 (1971). 

The particularity requirement has two distinct elements. See United States v. Upham. 168 F.3d 
532, 535 (1st Cir. 1999). First, the warrant must describe the things to be seized with sufficiently 
precise language so that it tells the officers how to separate the items properly subject to seizure from 
irrelevant items. See Davis v. Gracey . Ill F.3d 1472, 1478 (10th Cir. 1997); Marron v. United States. 
275 U.S. 192, 296 (1925) (“As to what is to be taken, nothing is left to the discretion of the officer 
executing the warrant.”). Second, the description of the things to be seized must not be so broad that it 
encompasses items that should not be seized. See Upham. 168 F.3d at 535. Put another way, the 
description in the warrant of the things to be seized should be limited to the scope of the probable cause 
established in the warrant. See In re Grand .lury Investigation Concerning Solid State Devices . 130 F.3d 
853, 857 (9th Cir. 1997). Considered together, the elements forbid agents from obtaining “general 
warrants” and instead require agents to conduct narrow seizures that attempt to “minimize[] unwarranted 
intrusions upon privacy.” Andresen v. Maryland . 427 U.S. 463, 482 n.ll (1976). 



b. Warrants to Seize Hardware Compared to Warrants to Seize Information 

• If computer hardware is contraband, evidence, fruits, or instrumentalities of crime, the warrant 
should describe the hardware itself If the probable cause relates only to information, however, 
the warrant should describe the information, rather than the physical storage devices which 
happen to contain it. 

The most important decision agents must make when describing the property in the warrant is 
whether the seizable property according to Rule 41 is the computer hardware itself, or merely the 
information that the hardware contains. If the computer hardware is itself contraband, an instrumentality 
of crime, or evidence, the focus of the warrant should be on the computer hardware itself and not on the 
information it contains. The warrant should describe the hardware and indicate that the hardware will be 
seized. See , e.g. . Davis v. Gracey . Ill F.3d 1472, 1480 (10th Cir. 1997) (seizure of computer 
“equipment” used to store obscene pornography was proper because the equipment was an 
instrumentality). However, if the probable cause relates only to information stored on the computer, the 
warrant should focus on the content of the relevant files rather than on the storage devices which may 
happen to contain them. See , e.g. . United States v. Gawrysiak . 972 F. Supp. 853, 860 (D.N.J. 1997), 
affd . 178 F.3d 1281 (3d Cir. 1999) (upholding seizure of “records [that] include information and/or data 
stored in the form of magnetic or electronic coding on computer media . . . which constitute evidence” 
of enumerated federal crimes). The warrant should describe the information based on its content t e.g.. 
gambling records, evidence of a fraud scheme), and then request the authority to seize the information in 
whatever form the information may be stored. To determine whether the warrant should describe the 
computer hardware itself or the information it contains, agents should consult Appendix F and determine 
whether the hardware constitutes evidence, contraband, or an instrumentality that may itself be seizable 
according to Rule 41(a). 
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• When conducting a search for information, agents need to consider carefully exactly what 

information they need. The information may be very narrow (e.g., a specific record or report), or 
quite broad (e.g., thousands of records relating to an elaborate fraud scheme). Agents should 
tailor each warrant to the needs of each search. The warrant should describe the information to 
be seized, and then request the authority to seize the information in whatever form it may be 
stored (whether electronic or not). 

Agents should be particularly careful when seeking authority to seize a broad class of information. 
This often occurs when agents plan to search computers at a business. See, e.g.. United States v. Leary. 
846 F.2d 592, 594 (10th Cir. 1988). Agents cannot simply request permission to seize “all records” 
from an operating business unless agents have probable cause to believe that the criminal activity under 
investigation pervades the entire business. See United States v. Ford. 184 F.3d 566, 576 (6th Cir. 1999) 
(citing cases); In re Grand .lury Investigation Concerning Solid State Devices. 130 F.3d 853, 857 (9th 
Cir. 1997). Instead, the description of the files to be seized should include limiting phrases that can 
modify and limit the “all records” search. For example, agents may specify the crime under 
investigation, the target of the investigation if known, and the time frame of the records involved. See, 
e.g. . United States v. Kow . 58 F.3d 423, 427 (9th Cir. 1995) (invalidating warrant for failure to name 
crime or limit seizure to documents authored during time frame under investigation ); Ford. 184 F.3d at 
576 (“Failure to limit broad descriptive terms by relevant dates, when such dates are available to the 
police, will render a warrant overbroad.”); In the Matter of the Application of Lafayette Academy. 610 
F.2d 1, 3 (1st Cir. 19791: United States v. Hunter. 13 F. Supp.2d 574, 584 (D. Vt. 1998) (concluding that 
warrant to seize “[a]ll computers” not sufficiently particular where description “did not indicate the 
specific crimes for which the equipment was sought, nor were the supporting affidavits or the limits 
contained in the searching instructions incorporated by reference.”). 

In light of these cases, agents should narrow “all records” searches with limiting language where 
necessary and appropriate. One effective approach is to begin with an “all records” description; add 
limiting language stating the crime, the suspects, and relevant time period if applicable; include explicit 
examples of the records to be seized; and then indicate that the records may be seized in any form, 
whether electronic or non -electronic. For example, when drafting a warrant to search a computer at a 
business for evidence of a drug trafficking crime, agents might describe the property to be seized in the 
following way: 

All records relating to violations of 21 U.S.C. § 841(a) (drug trafficking) and/or 21 U.S.C. 

§ 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, including 
lists of customers and related identifying information; types, amounts, and prices of drugs 
trafficked as well as dates, places, and amounts of specific transactions; any information 
related to sources of narcotic drugs (including names, addresses, phone numbers, or any 
other identifying information); any information recording [the suspect's] schedule or travel 
from 1995 to the present; all bank records, checks, credit card bills, account information, 
and other financial records. 

The terms “records ” and “information ” include all of the foregoing items of evidence in 
whatever form and by whatever means they may have been created or stored, including any 
electrical, electronic, or magnetic form (such as any information on an electronic or 
magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, 
optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers, 
personal digital assistants such as Palm Pilot computers, as well as printouts or readouts 
from any magnetic storage device); any handmade form (such as writing, drawing, 
painting); any mechanical form (such as printing or typing); and any photographic form 
(such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures. 
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photocopies). 



This language describes the general class of information to be seized (“all records”); narrows it to 
the extent possible (only those records involving the defendant's drug trafficking activities since 1995); 
offers examples of the types of records sought (such as customer lists and bank records); and then 
explains the various forms that the records may take (including electronic and non- electronic forms). 

Of course, agents do not need to follow this approach in every case; judicial review of search 
warrants is “commonsensical” and “practical,” rather than “overly technical.” United States v. 

Ventresca . 380 U.S. 102, 108 (1965). When agents cannot know the precise form that records will take 
before the search occurs, a generic description must suffice. See Davis v. Gracey. Ill F.3d 1472, 1478 
(10th Cir. 1997) (“Even a warrant that describes the items to be seized in broad or generic terms may be 
valid when the description is as specific as the circumstances and the nature of the activity under 
investigation permit.”) (internal quotations omittedl: United States v. London. 66 F.3d 1227, 1238 (1st 
Cir. 1995) (noting that where the defendant “operated a complex criminal enterprise where he mingled 
‘innocent’ documents with apparently-innocent documents which, in fact, memorialized illegal 
transactions, .... [it] would have been difficult for the magistrate judge to be more limiting in phrasing 
the warrant's language, and for the executing officers to have been more discerning in determining what 
to seize.”); United States v. Sharfman. 448 F.2d 1352, 1354-55 (2d Cir. 1971); Gawrysiak. 972 F. Supp. 
at 861. Even an “all records” search seeking evidence of a particular criminal activity may be 
appropriate in certain circumstances. See also United States v. Hargus. 128 F.3d 1358, 1362-63 (10th 
Cir. 1997) (upholding seizure of “any and all records relating to the business” under investigation for 
mail fraud and money laundering); London. 66 F.3d at 1238 (upholding search for “books and records . . 

. and any other documents. . . which reflect unlawful gambling”); United States v. Riley. 906 F.2d 841, 
844-45 (2d Cir. 1990) (upholding seizure of “items that constitute evidence of the offenses of conspiracy 
to distribute controlled substances”); United States v. Wayne. 903 F.2d 1188, 1195 (8th Cir. 1990) 
(upholding search for “documents and materials which may be associated with . . contraband 
[narcotics]”). 

c. Defending Computer Search Warrants Against Challenges Based on the Description of the “Things 
to be Seized” 

Search warrants may be subject to challenge when the description of the “things to be seized” does 
not comply fully with the best practices described above. Two challenges to the scope of warrants arise 
particularly often. First, defendants may claim that a warrant is insufficiently particular when the 
warrant authorizes the seizure of hardware but the affidavit only establishes probable cause to seize 
information. Second, defendants may claim that agents exceeded the scope of the warrant by seizing 
computer equipment if the warrant failed to state explicitly that the information to be seized might be in 
electronic form. The former challenge argues that the description of the property to be seized was too 
broad, and the latter argues that the description was not broad enough. 

1 ) When the warrant authorizes the seizure of hardware but the affidavit only establishes 
probable cause to seize information 

Computer search warrants sometimes authorize the seizure of hardware when the probable cause in 
the affidavit relates solely to the computer files the hardware contains. For example, agents may have 
probable cause to believe that a suspect possesses evidence of a fraud scheme, and may draft the warrant 
to authorize the seizure of the defendant's computer equipment rather than the data stored within it. On 
a practical level, such a description makes sense because it accurately and precisely describes what the 
agents will do when they execute the warrant t i.e.. seize the computer equipment). From a legal 
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standpoint, however, the description is less than ideal: the equipment itself is not evidence of a crime, an 
instrumentality or contraband that may be seized according to Rule 41(a). See Appendix F : cf. In re 
Grand .lury Subpoena Duces Tecum . 846 F. Supp. 11, 13 (S.D.N.Y. 1994) (concluding that a subpoena 
demanding production of computer hardware instead of the information it contained was unreasonably 
broad pursuant to Fed. R. Grim. P. 17(c)). The physical equipment merely stores the information that 
the agents have probable cause to seize. Although the agents may need to seize the equipment in order 
to obtain the files it contains, the better practice is to describe the information rather than the equipment 
in the warrant itself. When agents obtain a warrant authorizing the seizure of equipment, defendants 
may claim that the description of the property to be seized is fatally overbroad. See, e.g.. Davis v. 
Gracey. Ill F.3d 1472, 1479 (10th Cir. 1997).2 

To date, the courts have adopted a forgiving stance when faced with this challenge. The courts 
have generally held that descriptions of hardware can satisfy the particularity requirement so long as the 
subsequent searches of the seized computer hardware appear reasonably likely to yield evidence of 
crime. See, e.g.. United States v. Hay . 231 F.3d 630, 634 (9th Cir. 2000) (upholding seizure of 
“computer hardware” in search for materials containing child pornography); United States v. Campos. 
221 F.3d 1 143, 1 147 (10th Cir. 2000) (upholding seizure of “computer equipment which may be, or is 
used to visually depict child pornography,” and noting that the affidavit accompanying the warrant 
explained why it would be necessary to seize the hardware and search it off-site for the images it 
contained); United States v. Upham. 168 F.3d 532, 535 (1st Cir. 1999) (upholding seizure of “[a]ny and 
all computer software and hardware, . . . computer disks, disk drives” in a child pornography case 
because “[a]s a practical matter, the seizure and subsequent off-premises search of the computer and all 
available disks was about the narrowest definable search and seizure reasonably likely to obtain the 
[sought after] images”); United States v. Lacy . 119 F.3d 742, 746 (9th Cir. 1997) (warrant permitting 
“blanket seizure” of computer equipment from defendant’s apartment not insufficiently particular when 
there was probable cause to believe that computer would contain evidence of child pornography 
offenses); United States v. Henson. 848 F.2d 1374 (6th Cir. 1988) (permitting seizure of “computer[s], 
computer terminals, . . . cables, printers, discs, floppy discs, [and] tapes” that could hold evidence of the 
defendants' odometer -tampering scheme because such language “is directed toward items likely to 
provide information concerning the [defendants'] involvement in the . . . scheme and therefore did not 
authorize the officers to seize more than what was reasonable under the circumstances”); United States 
V. Hersch. 1994 WL 568728, at *1 (D. Mass. 1994). Cf. United States v. Lamb. 945 F. Supp. 441, 458- 
59 (N.D.N.Y. 1996) (not insufficiently particular to ask for “[a]ll stored files” in AOL network account 
when searching account for obscene pornography, because as a practical matter all files need to be 
reviewed to determine which files contain the pornography). 

Despite these decisions, agents should comply with the technical requirements of Rule 41 when 
describing the “property to be seized” in a search warrant. If the property to be seized is information, 
the warrant should describe the information to be seized, rather than its container. Of course, when the 
information to be seized is contraband (such as child pornography), the container itself may be 
independently seized as an instrumentality. See Gracey. Ill F.3d at 1480 (seizure of computer 
“equipment” was proper in case involving obscenity because the hardware was an instrumentality of the 
crime). 

2 ) When agents seize computer data and computer hardware but the warrant does not expressly 
authorize their seizure 

Search warrants sometimes fail to mention that information described in the warrant may appear in 
electronic form. For example, a search for “all records” relating to a conspiracy may list paper-world 
examples of record documents but neglect to state that the records may be stored within a computer. 
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Agents executing the search who come across computer equipment may not know whether the warrant 
authorizes the seizure of the computers. If the agents do seize the computers, defense counsel may file a 
motion to suppress the evidence arguing that the computers seized were beyond the scope of the 
warrant. 

The courts have generally permitted agents to seize computer equipment when agents reasonably 
believe that the content described in the warrant may be stored there, regardless of whether the warrant 
states expressly that the information may be stored in electronic form. See, e.g.. United States v. 
Musson. 650 F. Supp. 525, 532 (D. Colo. 1986). As the Tenth Circuit explained in United States v. 
Reyes . 798 F.2d 380, 383 (10th Cir. 1986), “in the age of modern technology and commercial 
availability of various forms of items, the warrant c[an] not be expected to describe with exactitude the 
precise form the records would take.” Accordingly, what matters is the substance of the evidence, not 
its form, and the courts will defer to an executing agent's reasonable construction of what property must 
be seized to obtain the evidence described in the warrant. See United States v. Ffi11 . 19 F.3d 984, 987 -89 
(5th Cir. 1994); Hessel v. O'Hearn. 977 F.2d 299 (7th Cir. 1992); United States v. Word. 806 F.2d 658, 
661 (6th Cir. 1986); United States v. Gomez-Soto. 723 F.2d 649, 655 (9th Cir. 1984) (“The failure of the 
warrant to anticipate the precise container in which the material sought might be found is not fatal.”). 

See also United States v. Abbell. 963 F. Supp. 1178, 1997 (S.D. Fla. 1997) (noting that agents may 
legitimately seize “[a] document which is implicitly within the scope of the warrant — even if it is not 
specifically identified”). 



3) General defenses to challenges of computer search warrants based on the description of the “things 
to be seized ” 

Prosecutors facing challenges to the particularity of computer search warrants have a number of 
additional arguments that may save inartfully drawn warrants. First, prosecutors can argue that the 
agents who executed the search had an objectively reasonable good faith belief that the warrant was 
sufficiently particular. See generally United States v. Leon. 468 U.S. 897, 922 (1984); Massachusetts v. 
Shepard . 468 U.S. 981, 990-91 (1984). If true, the court will not order suppression of the evidence. 

See , e.g. . United States v. Hunter . 13 F. Supp. 2d 574, 584-85 (D. Vt. 1998) (holding that good faith 
exception applied even though computer search warrant was insufficiently particular). Second, 
prosecutors may argue that the broad description in the warrant must be read in conjunction with a more 
particular description contained in the supporting affidavit. Although the legal standards vary widely 
among the circuits, see Wayne R. LaFave, Search and Seizure: A Treatise on the Fourth Amendment § 
4.6(a) (1994), most circuits permit the warrant to be construed with reference to the affidavit for 
purposes of satisfying the particularity requirement in certain circumstances. Finally, several circuits 
have held that courts can redact overbroad language and admit evidence from overbroad seizures if the 
evidence admitted was seized pursuant to sufficiently particular language. See United States v. 
Christine. 687 F.2d 749, 759 (3d Cir. 1982); Gomez-Soto. 723 F.2d at 654. 



Step 2: Establish Probable Cause in the Affidavit 

The second step in preparing a warrant to search and seize a computer is to write a sworn affidavit 
establishing probable cause to believe that contraband, evidence, fruits, or instrumentalities of crime 
exist in the location to be searched. See U.S. Const. Amend. IV (“no Warrants shall issue, but upon 
probable cause, supported by Oath or affirmation”); Fed. R. Crim. P. 41(b),(c). According to the 
Supreme Court, the affidavit must establish “a fair probability that contraband or evidence of a crime 
will be found in a particular place.” Illinois v. Gates. 462 U.S. 213, 238 (1983). This requires a 
practical, common-sense determination of the probabilities, based on a totality of the circumstances. 
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See id. Of course, probable cause will not exist if the agent can only point to a “bare suspicion” that 
criminal evidence will be found in the place searched. See Brinegar v. United States. 338 U.S. 160, 175 
(1949). Once a magistrate judge finds probable cause and issues the warrant, the magistrate's 
determination that probable cause existed is entitled to “great deference,” Gates. 462 U.S. at 236, and 
will be upheld so long as there is a “substantial basis for concluding that probable cause existed.” Id. at 
238-39 (internal quotations omitted). 

Importantly, the probable cause requirement does not require agents to be clairvoyant in their 
knowledge of the precise forms of evidence or contraband that will exist in the location to be searched. 
For example, agents do not need probable cause to believe that the evidence sought will be found in 
computerized (as opposed to paper) form. See United States v. Reyes . 798 F.2d 380, 382 (10th Cir. 
1986) (noting that “in the age of modern technology . . . , the warrant could not be expected to describe 
with exactitude the precise forms the records would take”). Similarly, agents do not need to know 
exactly what statutory violation the evidence will help reveal, see United States v. Prandy-Binett. 995 
F.2d 1069, 1073 (D.C. Cir. 1993), and do not need to know who owns the property to be searched and 
seized, see United States v. McNally. 473 F.2d 934, 942 (3d Cir. 1973). The probable cause standard 
simply requires agents to establish a fair probability that contraband or evidence of a crime will be found 
in the particular place to be searched. See Gates. 462 U.S. at 238. Of course, agents who have 
particular knowledge as to the form of evidence or contraband that exists at the place to be searched 
should articulate that knowledge fully in the affidavit. 

Probable cause challenges to computer search warrants arise particularly often in cases involving 
the possession and transmission of child pornography images.— For example, defendants often claim 
that the passage of time between the warrant application and the occurrence of the incriminating facts 
alleged in the affidavit left the magistrate judge without sufficient reason to believe that images of child 
pornography would be found in the defendant's computers. The courts have generally found little merit 
in these “staleness” arguments, in part because the courts have taken judicial notice of the fact that 
collectors of child pornography rarely dispose of such material. See, e.g.. United States v. Lacy. 1 19 
F.3d 742, 745-46 (9th Cir. 1997); United States v. Sassani. 139 F.3d 895, 1998 WL 89875, at *4-5 (4th 
Cir. 1998) (unpublished) (citing cases). 

Probable cause challenges may also arise when supporting evidence in an affidavit derives heavily 
from records of a particular Internet account or Internet Protocol (“IP”) address. The problem is a 
practical one: generally speaking, the fact that an account or address was used does not establish 
conclusively the identity or location of the particular person who used it. As a result, an affidavit based 
heavily on account or IP address logs must demonstrate a sufficient connection between the logs and the 
location to be searched to establish “a fair probability that contraband or evidence of a crime will be 
found in [the] particular place” to be searched. Gates, 462 U.S. at 238. See, e.g.. United States v. Hay. 
231 F.3d 630, 634 (9th Cir. 2000) (evidence that child pornography images were sent to an IP address 
associated with the defendant’s apartment, combined with other evidence of the defendant’s interest in 
young children, created probable cause to search the defendant’s apartment for child pornography); 
United States v. Grant. 218 F.3d 72, 76 (1st Cir. 2000) (evidence that an Internet account belonging to 
the defendant was involved in criminal activity on several occasions, and that the defendant’s car was 
parked at his residence during at least one such occasion, created probable cause to search the 
defendant’s residence). 

Step 3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy 
(Such as the Need to Conduct an Off-site Search) as Well as the Practical and Legal 
Considerations That Will Govern the Execution of the Search 
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The third step in drafting a successful computer search warrant is to explain both the search 
strategy and the practical considerations underlying the strategy in the affidavit. For example, if agents 
expect that they may need to seize a personal computer and search it off-site to recover the relevant 
evidence, the affidavit should explain this expectation and its basis to the magistrate judge. The 
affidavit should inform the court of the practical limitations of conducting an on-site search, and should 
articulate the plan to remove the entire computer from the site if it becomes necessary. The affidavit 
should also explain what techniques the agents expect to use to search the computer for the specific files 
that represent evidence of crime and may be intermingled with entirely innocuous documents. If the 
search strategy has been influenced by legal considerations such as potential PPA liability, the affidavit 
should explain how and why in the affidavit. If the agents have authority to seize hardware because the 
hardware itself is evidence, contraband, or an instrumentality of crime, the affidavit should explain 
whether the agents intend to search the hardware following the seizure, and, if so, for what. In sum, the 
affidavit should address all of the relevant practical and legal issues that the agents have considered in 
the course of planning the search, and should explain the course of conduct that the agents will follow as 
a result. Although no particular language is required. Appendix F offers sample language that agents 
may find useful in many situations. Finally, when the search strategy is complicated or the affidavit is 
under seal, it is a good practice for agents to reproduce the explanation of the search strategy contained 
in the affidavit as an attachment to the warrant itself. 

The reasons for articulating the search strategy in the affidavit are both practical and legal. On a 
practical level, explaining the search strategy in the affidavit creates a document that both the court and 
the agents can read and refer to as a guide to the execution of the search. See NatT City Trading Corp. 

V. United States. 635 F.2d 1020, 1026 (2d Cir. 1980) (“[W]e note with approval the care taken by the 
Government in the search involved here. . . . Such self-regulatory care [in executing a warrant] is 
conduct highly becoming to the Government.”). Similarly, if the explanation of the search strategy is 
reproduced as an attachment to the warrant and given to the subject of the search pursuant to Rule 41(d), 
the explanation permits the owner of the searched property to satisfy himself during the search that the 
agents’ conduct is within the scope of the warrant. See Michigan v. Tyler . 436 U.S. 499, 508 (1978) 
(noting that “a major function of the warrant is to provide the property owner with sufficient information 
to reassure him of the entry's legality”). Finally, as a legal matter, explaining the search strategy in the 
affidavit helps to counter defense counsel motions to suppress based on the agents’ alleged “flagrant 
disregard” of the warrant during the execution of the search. 

To understand motions to suppress based on the “flagrant disregard” standard, agents and 
prosecutors should recall the limitations on search and seizure imposed by Rule 41 and the Fourth 
Amendment. In general, the Fourth Amendment and Rule 41 limit agents to searching for and seizing 
property described in the warrant that is itself evidence, contraband, fruits, or instrumentalities of crime. 
See United States v. Tamura . 694 F.2d 591, 595 (9th Cir. 1982); see also Appendix F tdescribing 
property that may be seized according to Rule 41). If agents execute a warrant and seize additional 
property not described in the warrant, defense counsel can file a motion to suppress the additional 
evidence. Motions to suppress such additional evidence are filed relatively rarely because, if granted, 
they result only in the suppression of the property not named in the warrant. See United States v. 
Hargus . 128 F.3d 1358, 1363 (10th Cir. 1997). On the other hand, defense counsel will often attempt to 
use the seizure of additional property as the basis for a motion to suppress all of the evidence obtained in 
a search. To be entitled to the extreme remedy of blanket suppression, the defendant must establish that 
the seizure of additional materials proves that the agents executed the warrant in “flagrant disregard” of 
its terms. See, e.g. . United States v. Le . 173 F.3d 1258, 1269 (10th Cir. 1999); United States v. Marias. 
836 F.2d 744, 747-48 (2d Cir. 1988) (citing cases). A search is executed in “flagrant disregard” of its 
terms when the officers so grossly exceed the scope of the warrant during execution that the authorized 
search appears to be merely a pretext for a ‘fishing expedition’ through the target’s private property. 

See , e.g.. United States v. Liu. - F.3d -, 2000 WL 1876779 (2d Cir. 2000); United States v. Foster. 100 
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F.3d 846, 851 (10th Cir. 19961: United States v. Young. 877 F.2d 1099, 1105-06 (1st Cir. 1989). 

Motions to suppress alleging “flagrant disregard” are common in computer searches because, for 
practical and technical reasons, agents executing computer searches frequently must seize hardware or 
files that are not described in the warrant. For example, agents who have probable cause to believe that 
evidence of a defendant's fraud scheme is stored on the defendant's home computer may have to seize 
the entire computer and search it off -site. See discussion supra . Defense lawyers often argue that by 
seizing more than the specific computer files named in the warrant, the agents “flagrantly disregarded” 
the seizure authority granted by the warrant. See, e.g.. United States v. Henson. 848 F.2d 1374, 1383 
(6th Cir. 1988); United States v. Hunter. 13 F. Supp.2d 574, 585 (D. Vt. 1998); United States v. 
Gawryisiak . 972 F. Supp. 853, 865 (D.N.J. 1997), affd. 178 F.3d 1281 (3d Cir. 1999); United States v. 
Sissler . 1991 WL 239000, at *3 (W.D. Mich. 1991), affd. 966 F.2d 1455 (6th Cir. 1992); United States 
V. Schwimmer . 692 F. Supp. 119, 126 (E.D.N.Y. 1988). 

Prosecutors can best respond to “flagrant disregard” motions by showing that any seizure of 
property not named in the warrant resulted from a good faith response to inherent practical difficulties, 
rather than a wish to conduct a general search of the defendant's property under the guise of a narrow 
warrant. The courts have recognized the practical difficulties that agents face in conducting computer 
searches for specific files, and have approved off-site searches despite the incidental seizure of 
additional property. See, e.g.. Davis v. Gracey. Ill F.3d 1472, 1280 (10th Cir. 1997) (noting “the 
obvious difficulties attendant in separating the contents of electronic storage [sought as evidence] from 
the computer hardware [seized] during the course of a search”); United States v. Schandl. 947 F.2d 462, 
465-466 (1 1th Cir. 1991) (noting that an on-site search “might have been far more disruptive” than the 
off-site search conducted); Henson . 848 F.2d at 1383-84 (“We do not think it is reasonable to have 
required the officers to sift through the large mass of documents and computer files found in the 
[defendant's] office, in an effort to segregate those few papers that were outside the warrant.”); United 
States V. Scott -Emuakpor. 2000 WE 288443, at *7 (W.D. Mich. 2000) (noting “the specific problems 
associated with conducting a search for computerized records” that justify an off-site search); 

Gawrysiak . 972 E. Supp. at 866 (“The Eourth Amendment's mandate of reasonableness does not require 
the agent to spend days at the site viewing the computer screens to determine precisely which documents 
may be copied within the scope of the warrant.”); Sissler. 1991 WE 239000, at *4 (“The police . . . were 
not obligated to inspect the computer and disks at the . . . residence because passwords and other 
security devices are often used to protect the information stored in them. Obviously, the police were 
permitted to remove them from the . . . residence so that a computer expert could attempt to 'crack' these 
security measures, a process that takes some time and effort. Eike the seizure of documents, the seizure 
of the computer hardware and software was motivated by considerations of practicality. Therefore, the 
alleged carte blanche seizure of them was not a 'flagrant disregard' for the limitations of a search 
warrant.”). See also United States v. Upham . 168 E.3d 532, 535 (1st Cir. 1999) (“It is no easy task to 
search a well-laden hard drive by going through all of the information it contains .... The record shows 
that the mechanics of the search for images later performed [off -site] could not readily have been done 
on the spot.”); United States v. Eamb. 945 E. Supp. 4414, 62 (N.D.N.Y. 1996) (“[I]f some of the image 
files are stored on the internal hard drive of the computer, removing the computer to an EBI office or lab 
is likely to be the only practical way of examining its contents.”). 

The decisions permitting off-site computer searches are bolstered by analogous ‘physical -world’ 
cases that have authorized agents to remove file cabinets and boxes of paper documents so that agents 
can review the contents off- site for the documents named in the warrant. See , e.g. . United States v. 
Hargus . 128 E.3d 1358, 1363 (10th Cir. 1997) (concluding that “wholesale seizure of file cabinets and 
miscellaneous papers” did not establish flagrant disregard because the seizure “was motivated by the 
impracticability of on-site sorting and the time constraints of executing a daytime search warrant”); 
Crooker v. Mulligan . 788 E.2d 809, 812 (1st Cir. 1986) (noting cases “upholding the seizure of 
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documents, both incriminating and innocuous, which are not specified in a warrant but are intermingled, 
in a single unit, with relevant documents”); United States v. Tamura. 694 F.2d 591, 596 (9th Cir. 1982) 
(ruling that the district court properly denied suppression motion “where the Government's wholesale 
seizures were motivated by considerations of practicality rather than by a desire to engage in 
indiscriminate 'fishing'”); United States v. Hi11yard 677 F.2d 1336, 1340 (9th Cir. 1982) (“If 
commingling prevents on-site inspection, and no other practicable alternative exists, the entire property 
may be seizable, at least temporarily.”). 

Explaining the agent's search strategy and the practical considerations underlying the strategy in 
the affidavit can help ensure that the execution of the search will not be deemed in “flagrant disregard” 
of the warrant. Cf.United States v. Hay . 231 F.3d 630, 634 (9th Cir. 2000) (suggesting that a magistrate 
judge’s authorization of a search supported by an affidavit that explained the need for an off-site search 
of a computer constituted “the magistrate judge’s authorization” of the off-site search); United States v. 
Campos . 221 F.3d 1143, 1147 (10th Cir. 2000) (relying on the explanation of the search strategy 
contained in the affidavit in the course of holding that a computer warrant was not overbroad). A 
careful explanation of the search strategy illustrates the agent's good faith and due care, articulates the 
practical concerns driving the search, and permits the judge to authorize the strategy described in the 
affidavit. A search that complies with the strategy explained in the supporting affidavit will not be in 
flagrant disregard of the warrant. See, e.g.. Cawrysiak. 973 F. Supp. at 866 (commending agents for 
conducting a computer search with “considerable care” based on the submission of a “detail-rich” 
supporting affidavit and a written search plan). 

• When agents expect that the files described in the warrant will be commingled with innocent files 
outside of the warrant’s scope, it is a good practice, if technically possible, to explain in the 
affidavit how the agents plan to search the computer for the targeted files. 

When agents conduct a search for computer files and other electronic evidence stored in a hard 
drive or other storage device, the evidence may be commingled with data and files that have no relation 
to the crime under investigation. Figuring out how best to locate and retrieve the evidence amidst the 
unrelated data is more of an art than a science, and often requires significant technical expertise and 
careful attention to the facts. As a result, agents may or may not know at the time the warrant is 
obtained how the storage device should be searched, and, in beginning the search, may or may not know 
whether it will be possible to locate the evidence without conducting an extensive search through 
unrelated files. 

When agents have a factual basis for believing that they can locate the evidence using a specific set 
of techniques, the affidavit should explain the techniques that the agents plan to use to distinguish 
incriminating documents from commingled documents. Depending on the circumstances, it may be 
helpful to consult with experts in computer forensics to determine what kind of search can be conducted 
to locate the particular files described in the warrant. In some cases, a “key word” search or similar 
surgical approach may be possible. Such an approach may permit law enforcement to locate the 
incriminating files without conducting an extensive search through innocent files that happen to be 
mixed together with the incriminating files that are the target of the search. Notably, the Fourth 
Amendment does not generally require such an approach. See United States v. Hunter. 13 F. Supp. 2d 
574, 584 (D. Vt. 1998) (“Computer records searches are no less constitutional than searches of physical 
records, where innocuous documents may be scanned to ascertain their relevancy.”); United States v. 
Lloyd . 1998 WL 846822, at *3 (E.D.N.Y. 1998). However, in extensive dicta, the Tenth Circuit has 
indicated that it favors such a narrow approach because it minimizes the possibility that the government 
will be able to use a narrow warrant to justify a broader search. See United States v. Carey . 172 E.3d 
1268, 1275-76, 1275 n.8. (10th Cir. 1999) (citing Raphael Winick, Searches and Seizures of Computers 
and Computer Data, 8 Harv. J. L. &. Tech. 75, 108 1199411: Campos. 221 E.3d at 1148. See also 
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Gawrysiak . 972 F. Supp. at 866 (suggesting in dicta that agents executing a search for computer files 
“could have at the least checked the date on which each file was created, and avoided copying those files 
that were created before the time period covered by the warrant”). 

Of course, in many cases a narrow approach will be technically impossible. The targeted files may 
be mislabeled, hidden, oddly configured, written using code words to escape detection, encrypted, or 
otherwise impossible to find using a simple technique such as a “key word” search. Because some 
judges may fail to appreciate such technical difficulties, it is a good practice as a matter of policy for 
agents to discuss these issues in the affidavit if it appears that a narrow search will not be effective. In 
such cases, a more extensive search through innocent files will be necessary to determine which files fall 
within the scope of the warrant. Explaining these practical needs in the affidavit can make clear at the 
outset why an extensive search will not be in “flagrant disregard” of the warrant, and why the extensive 
search complies fully with traditional Fourth Amendment principles. See Andresen v. Maryland. 427 
U.S. 463, 482 n.l 1 (1976) (“In searches for papers, it is certain that some innocuous documents will be 
examined, at least cursorily, in order to determine whether they are, in fact, among those papers 
authorized to be seized.”); United States v. Riley. 906 F.2d 841, 845 (2d Cir. 1990) (noting that records 
searches permit agents to search through many papers because “few people keep documents of their 
criminal transactions in a folder marked ‘[crime] records.’”); United States v. Gray. 78 F. Supp.2d 524, 
530 (E.D. Va. 1999) (noting that agents executing a search for computer files “are not required to accept 
as accurate any file name or suffix and [to] limit [their] search accordingly,” because criminals may 
“intentionally mislabel files, or attempt to bury incriminating files within innocuously named 
directories.”); Hunter. 13 F. Supp. 2d at 584; United States v. Sissler. 1991 WF 239000, at *4 (W.D. 
Mich. 1991) (“[T]he police were not obligated to give deference to the descriptive labels placed on the 
discs by [the defendant] . Otherwise, records of illicit activity could be shielded from seizure by simply 
placing an innocuous label on the computer disk containing them.”). 

• When agents obtain a warrant to seize hardware that is itself evidence, contraband, or an 

instrumentality of crime, they should explain in the affidavit whether and how they plan to search 
the hardware following the seizure. 

When agents have probable cause to seize hardware because it is evidence, contraband, or an 
instrumentality of crime, the warrant will ordinarily describe the property to be seized as the hardware 
itself. In many of these cases, however, the agents will plan to search the hardware after it is seized for 
electronic data stored inside the hardware that also constitute evidence or contraband. It is a good 
practice for agents to inform the magistrate of this plan in the supporting affidavit. Although the courts 
have upheld searches when agents did not explain this expectation in the affidavit, see, e.g.. United 
States V. Simpson . 152 F.3d 1241, 1248 (10th Cir. 1998) (discussed infra), the better practice is to 
inform the magistrate in the affidavit of the agents ’ plan to search the hardware following the seizure. 



D. Post -Seizure Issues 

In many cases, computer equipment that has been seized will be sent to a laboratory for forensic 
examination. The time that may elapse before a technical specialist completes the forensic examination 
varies widely, depending on the hardware itself, the evidence sought, and the urgency of the search. In 
most cases, however, the elapsed time is a matter of months. Several legal issues may arise during the 
post-seizure period that implicate the government's right to retain and search the computers in their 
custody. 



1. Searching Computers Already in Law Enforcement Custody 
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• In general, agents should obtain a second warrant to search a computer seized pursuant to a valid 

warrant if the property targeted by the proposed search is different from that underlying the first 

warrant. 

Agents often seize a computer pursuant to a warrant, and then ask whether they need a second 
warrant to search the computer. Whether a second warrant is needed depends on the purpose of the 
search. If agents plan to search the computer for the information that was the target of the original 
seizure, no second warrant is required. For example, in United States v. Simpson. 152 F.3d 1241 (10th 
Cir. 1998), investigators obtained a warrant to seize the defendant's “computer diskettes . . . and the 
defendant's computer” based on probable cause to believe it contained child pornography. The 
investigators seized the computer and then searched it in police custody, finding child pornography 
images. On appeal following conviction, the defendant claimed that the investigators lacked the 
authority to search the computer because the warrant merely authorized the seizure of equipment. The 
Tenth Circuit rejected the argument, concluding that a warrant to seize computer equipment permitted 
agents to search the equipment. See id. at 1248. See also United States v. Gray. 78 F. Supp.2d 524, 
530-31 (E.D. Va. 1999) (holding that initial warrant authorizing search for evidence of computer 
hacking justified a subsequent search for such evidence, even though agents uncovered incriminating 
evidence beyond the scope of the warrant in the course of executing the search). 

If investigators seize computer equipment for the evidence it contains and later decide to search the 
equipment for different evidence, however, they should obtain a second warrant. In United States v. 
Carey. 172 F.3d 1268 (10th Cir. 1999), detectives obtained a warrant to search the defendant's computer 
for records of narcotics sales. Searching the computer back at the police station, a detective discovered 
images of child pornography. At that point, the detective “abandoned the search for drug -related 
evidence” and instead searched the entire hard drive for evidence of child pornography. Id^ at 1277-78. 
The Tenth Circuit suppressed the child pornography, holding that the subsequent search for child 
pornography was “impermissible general rummaging” that exceeded the scope of the original warrant. 

Id. at 1276 (Baldock, J., concurring); Id. at 1273. CompareGray. 78 F. Supp.2d at 530-31 (upholding 
search where agent discovered child pornography in the course of looking for evidence of computer 
hacking pursuant to a warrant, and then obtained a second warrant before searching the computer for 
child pornography). 

Notably, Carey ’s focus on the agent’s subjective intent may reflect a somewhat outdated view of 
the Fourth Amendment. The Supreme Court’s recent Fourth Amendment cases generally have declined 
to examine an agent’s subjective intent, and instead have focused on whether the circumstances, viewed 
objectively, justified the agent’s conduct. See, e.g.. Whren v. United States. 517 U.S. 806, 813 (1996); 
Horton v. California . 496 U.S. 128, 138 (1990). Relying on these precedents, several courts have 
indicated that an agent’s subjective intent during the execution of a warrant no longer determines 
whether the search exceeded the scope of the warrant and violated the Fourth Amendment. See United 
States V. Van Dreel. 155 F.3d 902, 905 (7th Cir. 1998) (“[Ujnder Whren, . . . once probable cause exists, 
and a valid warrant has been issued, the officer’s subjective intent in conducting the search is 
irrelevant.”); United States v. Ewain. 88 E.3d 689, 694 (9th Cir. 1996) (“Using a subjective criterion 
would be inconsistent with Horton , and would make suppression depend too much on how the police tell 
their story, rather than on what they did.”). According to these cases, the proper inquiry is whether, 
from an objective perspective, the search that the agents actually conducted was consistent with the 
warrant obtained. See Ewain . 88 E.3d at 694. The agent’s subjective intent is either “irrelevant,” Van 
Dreel . 155 E.3d at 905, or else merely one factor in the overall determination of “whether the police 
confined their search to what was permitted by the search warrant.” Ewain. 88 E.3d at 694. 



2. The Permissible Time Period For Examining Seized Computers 
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• Neither Rule 41 nor the Fourth Amendment creates any specific time limits on the government's 
forensic examination of seized computers. Some magistrate judges have begun imposing such 
limitations, however. 

Despite the best efforts of the government to analyze seized computers quickly, the forensic 
examination of seized computers often takes months to complete because computers can store enormous 
amounts of data. As a result, suspects whose computers have been seized may be deprived of their 
computer hardware for an extended period of time. Neither Rule 41 nor the Fourth Amendment imposes 
any specific limitation on the time period of the government's forensic examination. The government 
ordinarily may retain the seized computer and examine its contents in a careful and deliberate manner 
without legal restrictions, subject only to Rule 41(e)'s authorization that a “person aggrieved” by the 
seizure of property may bring a motion for the return of the property (see “Rule 41(e) Motions for 

Return of Property,” infra).— 

A few magistrate judges have taken a different view, however. Several magistrate judges have 
refused to sign search warrants authorizing the seizure of computers unless the government conducts the 
forensic examination in a short period of time, such as thirty days. Some magistrate judges have 
imposed time limits as short as seven days, and several have imposed specific time limits when agents 
apply for a warrant to seize computers from operating businesses. In support of these limitations, a few 
magistrate judges have expressed their concern that it might be constitutionally “unreasonable” under 
the Fourth Amendment for the government to deprive individuals of their computers for more than a 
short period of time. Other magistrates have suggested that Rule 41's requirement that agents execute a 
“search” within 10 days of obtaining the warrant might apply to the forensic analysis of the computer as 
well as the initial search and seizure. See Fed. R. Crim. P. 41(c)(1). 

The law does not expressly authorize magistrate judges to issue warrants that impose time limits 
on law enforcement’s examination of seized evidence. Although the relevant case law is sparse, it 
suggests that magistrate judges lack the legal authority to refuse to issue search warrants on the ground 
that they believe that the agents may, in the future, execute the warrants in an unconstitutional fashion. 
See Abraham S. Goldstein, The Search Warrant, the Magistrate, and Judicial Review, 62 N.Y.U. L. 

Rev. 1 173, 1 196 (1987) (“The few cases on [whether a magistrate judge can refuse to issue a warrant on 
the ground that the search may be executed unconstitutionally] hold that a judge has a ‘ministerial’ duty 
to issue a warrant after ‘probable cause’ has been established.”); In re Worksite Inspection of Quality 
Products. Inc. . 592 F.2d 611, 613 (1st Cir. 1979) (noting the limited role of magistrate judges in issuing 
search warrants). As the Supreme Court suggested in one early case, the proper course is for the 
magistrate to issue the warrant so long as probable cause exists, and then to permit the parties to litigate 
the constitutional issues afterwards. See Ex Parte United States. 287 U.S. 241, 250 (1932) (“The refusal 
of the trial court to issue a warrant ... is, in reality and effect, a refusal to permit the case to come to a 
hearing upon either questions of law or fact, and falls a little short of a refusal to permit the enforcement 
of the law.”). 

Prosecutors should also be prepared to explain to magistrate judges why a forensic search for files 
stored in a seized computer need not occur within 10 days of obtaining the warrant. Rule 41(c)(1) 
requires that the agents who obtain a warrant must “search, within a specified period of time not to 
exceed 10 days, the person or place named for the property or person specified.” This rule directs agents 
to search the place named in the warrant and seize the property specified within 10 days so that the 
warrant does not become ‘stale’ before it is executed. See United States v. Sanchez . 689 F.2d 508, 512 
n.5 (5th Cir. 1982). This rule does not apply to the forensic analysis of evidence that has already been 
seized, however; even if such analysis involves a Fourth Amendment “search” in some cases, it plainly 
does not occur in “the place . . . named” in the warrant. An analogy to paper documents may be 
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helpful. A Rule 41 warrant that authorizes the seizure of a book requires that the book must be seized 
from the place described in the warrant within 10 days. However, neither the warrant nor Rule 41 
requires law enforcement to examine the book and complete any forensic analysis of its pages within the 
same 10-day period. Cf. Commonwealth v. Ellis. 10 Mass. L. Rptr. 429, 1999 WL 815818, at *8-9 
(Mass. Super. 1999) (interpreting analogous state law provision) (“The ongoing search of the computer's 
memory need not have been accomplished within the . . . period required for return of the warrant.”). 

Although the legal basis for imposing time limits on forensic analysis is unclear, a magistrate 
judge’s refusal to issue a computer search warrant absent time limitations can create significant 
headaches for prosecutors. As a practical matter, prosecutors often have little choice but to go along 
with the magistrate judge's wishes. A judge's refusal to sign a search warrant generally is not an 
appealable final order, and the prosecutor's only recourse is to turn to another judge, who will want to 
know why the first judge refused to sign the warrant. See United States v. Savides. 658 F. Supp. 1399, 
1404 (N.D. 111. 1987), affd in relev antpartsub. nom. United States v. Pace. 898 F.2d 1218, 1230 (7th Cir. 
1990). As a practical matter, then, prosecutors will often have little choice but to try to convince the 
judge not to impose a time limit, and if that fails, to request extensions when the time period proves 
impossible to follow. 

At least one court has adopted the severe position that suppression is appropriate when the 
government fails to comply with court-imposed limits on the time period for reviewing seized 
computers. In United States v. Brunette. 76 F. Supp. 2d 30 (D. Me. 1999), a magistrate judge permitted 
agents to seize the computers of a child pornography suspect on the condition that the agents searched 
through the computers for evidence “within 30 days.” The agents executed the search five days later, 
and seized several computers. A few days before the thirty-day period elapsed, the government applied 
for and obtained a thirty -day extension of the time for review. The agents then reviewed all but one of 
the seized computers within the thirty- day extension period, and found hundreds of images of child 
pornography. However, the agents did not begin reviewing the last of the computers until two days after 
the extension period had elapsed. The defendant moved for suppression of the child pornography 
images found in the last computer, on the ground that the search outside of the sixty -day period violated 
the terms of the warrant and subsequent extension order. The court agreed, stating that “because the 
Government failed to adhere to the requirements of the search warrant and subsequent order, any 
evidence gathered from the . . . computer is suppressed.” Id^ at 42. 

The result in Brunette makes little sense either under Rule 41 or the Fourth Amendment. Even 
assuming that a magistrate judge has the authority to impose time constraints on forensic testing in the 
first place, it seems incongruous to impose suppression for violations of such conditions when analogous 
violations of Rule 41 itself would not result in suppression. CompareBrunettewith United States v. 
Twenty-Two Thousand. Two Hundred Eighty Seven Dollars t$22.287.001. U.S. Currency. 709 E.2d 
442, 448 (6th Cir. 1983) (rejecting suppression when agents began search “shortly after” 10 p.m., even 
though Rule 41 states that all searches must be conducted between 6:00 a.m. and 10 p.m.). This is 
especially true when the hardware to be searched was a container of contraband child pornography, and 
therefore was itself an instrumentality of crime that was not subject to return. 



3. Rule 41(e) Motions for Return of Property 

Rule 41(e) states: 

A person aggrieved by an unlawful search and seizure or by the deprivation of property may 
move the district court for the district in which the property was seized for the return of the 
property on the ground that such person is entitled to lawful possession of the property. The 
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court shall receive evidence on any issue of fact necessary to the decision of the motion. If 
the motion is granted, the property shall be returned to the movant, although reasonable 
conditions may be imposed to protect access and use of the property in subsequent 
proceedings. If a motion for return of property is made or comes on for hearing in the 
district of trial after an indictment or information is filed, it shall be treated also as a motion 
to suppress under Rule 12. 



Fed. R. Crim. P. 41(e). 

Rule 41(e) has particular importance in computer search cases because it permits owners of seized 
computer equipment to move for the return of the equipment before an indictment is filed. In some 
cases, defendants will file such motions because they believe that the seizure of their equipment violated 
the Fourth Amendment. If they are correct, the equipment must be returned. See, e.g.. In re Grand .fury 
Investigation Concerning Solid States Devices. Inc. . 130 F.3d 853 (9th Cir. 1997). Rule 41(e) also 
permits owners to move for a return of their property when the seizure was lawful, but the movant is 
“aggrieved by the government's continued possession of the seized property.” Id at 856. The multi- 
functionality of computer equipment occasionally leads to Rule 41(e) motions on this basis. For 
example, a suspect under investigation for computer hacking may file a motion claiming that he must 
have his computer back to calculate his taxes or check his e-mail. Similarly, a business suspected of 
fraud may file a motion for the return of its equipment claiming that it needs the equipment returned or 
else the business will suffer. 

Owners of properly seized computer equipment must overcome several formidable barriers before 
a court will order the government to return the equipment. First, the owner must convince the court that 
it should exercise equitable jurisdiction over the owner's claim. See Floyd v. United States. 860 F.2d 
999, 1003 (10th Cir. 1988) (“Rule 41(e) jurisdiction should be exercised with caution and restraint.”). 
Although the jurisdictional standards vary widely among different courts, most courts will assert 
jurisdiction over a Rule 41(e) motion only if the movant establishes: 1) that being deprived of 
possession of the property causes 'irreparable injury', and 2) that the movant is otherwise without a 
remedy at law. See In re the Matter of the Search of Kitty's East. 905 F.2d 1367, 13770-71 (10th Cir. 
1990). Compare Ramsden v. United States . 2 F.3d 322, 325 (9th Cir. 1993) (articulating four -factor 
jurisdictional test from pre- 1989 version of Rule 41(e)). If the movant established these elements, the 
court will move to the merits of the claim. On the merits, seized property will be returned only if the 
government's continued possession is unreasonable. See Ramsden. 2 F.3d at 326. This test requires the 
court to weigh the government's interest in continued possession of the property with the owner's 
in the property's return. See United States v. Premises Known as 608 Taylor Ave.. 584 F.2d 1297, 1304 
(3d Cir. 1978). In particular: 

If the United States has a need for the property in an investigation or prosecution, its 
retention of the property generally is reasonable. But, if the United States' legitimate 
interests can be satisfied even if the property is returned, continued retention of the property 
would be unreasonable. 

Advisory Committee Notes to the 1989 Amendment of Rule 41(e) (quoted in Ramsden. 2 F.3d at 326; 
Kitty's East . 905 F.2d at 1375). 

Rule 41(e) motions requesting the return of properly seized computer equipment succeed only 
rarely. First, courts will usually decline to exercise jurisdiction over the motion if the government has 
offered the property owner an electronic copy of the seized computer files. See In re Search Warrant 
Executed February 1. 1995 . 1995 WL 406276, at *2 (S.D.N.Y. 1995) (concluding that owner of seized 
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laptop computer did not show irreparable harm where government offered to allow owner to copy files it 
contained); United States v. East Side Ophthalmology. 1996 WL 384891, at *4 (S.D.N.Y. 1996). See 
also Standard Dry wall. Inc, v. United States . 668 F.2d 156, 157 n.2. (2dCir. 1982) (“We seriously 
question whether, in the absence of seizure of some unique property or privileged documents, a party 
could ever demonstrate irreparable harm [justifying jurisdiction] when the Government either provides 
the party with copies of the items seized or returns the originals to the party and presents the copies to 
the jury.”). 

Second, courts that reach the merits generally find that the government's interest in the computer 
equipment outweighs the defendant's so long as a criminal prosecution or forfeiture proceeding is in the 
works. See United States v. Stowe . 1996 WL 467238 (N.D. 111. 1996) (continued retention of computer 
equipment is reasonable after 18 months where government claimed that investigation was ongoing and 
defendant failed to articulate his need for the equipment's return); In the Matter of Search Warrant for K- 
Sports Imports. Inc. . 163 F.R.D. 594, 597 (C.D. Cal. 1995) (denying motion for return of computer 
records relating to pending forfeiture proceedings). See also.Iohnson v. United States. 971 F. Supp. 862, 
868 (D.N.J. 1997) (denying Rule 41(e) motion to return bank's computer tapes because bank was no 
longer an operating business). If the government does not plan to use the computers in further 
proceedings, however, the computer equipment must be returned. See United States v. Moore. 188 F.3d 
516, 1999 WL 650568, at *6 (9th Cir. 1999) (unpublished) (ordering return of computer where “the 
government's need for retention of the computer for use in another proceeding now appears . . . 
remote”) ; K-Sports Imports. Inc.. 163 F.R.D. at 597. Further, a court may grant a Rule 41(e) motion if 
the defendant cannot operate his business without the seized computer equipment and the government 
can work equally well from a copy of the seized files. See United States v. Bryant. 1995 WL 555700, at 
*3 (S.D.N.Y. 1995) (referring to magistrate judge's prior unpublished ruling ordering the return of 
computer equipment, and stating that “the Magistrate Judge found that defendant needed this machinery 
to operate his business”). 



III. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT 



A. Introduction 

• ECPA regulates how the government can obtain stored account information from network service 
providers such as ISPs. Whenever agents or prosecutors seek stored e-mail, account records, or 
subscriber information from a network service provider, they must comply with ECPA. The 
practical effect of ECPA ’s classifications can be understood most easily using a chart such as the 
one that appears in Part E of this chapter. 

The stored communication portion of the Electronic Communications Privacy Act (“ECPA”), 18 
U.S.C. §§ 2701-11, creates statutory privacy rights for customers and subscribers of computer network 
service providers. 

In a broad sense, ECPA exists largely to “fill in the gaps” left by the uncertain application of 
Eourth Amendment protections to cyberspace. To understand these gaps, consider the legal protections 
we have in our homes. The Eourth Amendment clearly protects our homes in the physical world: absent 
special circumstances, the government must first obtain a warrant before it searches there. When we use 
a computer network such as the Internet, however, we do not have a physical “home.” Instead, the 
closest most users have to a “home” is a network account consisting of a block of computer memory 
allocated to them but owned by a network service provider such as America Online. If law enforcement 
investigators need the contents of a network account or information about how it is used, they do not 
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need to go to the user to get that information. Instead, the government can go to the network provider 
and obtain the information directly from the provider. Although the Fourth Amendment generally 
requires the government to obtain a warrant to search a home, it does not require the government to 
obtain a warrant to obtain the stored contents of a network account. Instead, the Fourth Amendment 
generally permits the government to issue a subpoena to a network provider ordering the provider to 

-t-y 

divulge the contents of an account.— ECPA addresses this inequality by offering network account 
holders a range of statutory privacy rights against access to stored account information held by network 
service providers. 

Because ECPA is an unusually complicated statute, it can be helpful when approaching the statute 
for the first time to understand the intent of its drafters. The structure of ECPA reflects a series of 
classifications that indicate the drafters ’ judgments about what kinds of information implicate greater or 
lesser privacy interests. Eor example, the drafters saw different privacy interests at stake in stored e- 
mails than in subscriber account information. Similarly, the drafters believed that computing services 
available “to the public” required more strict regulation than services that are not available to the public. 
Perhaps this judgment reflects the reality that providers available to the public are not likely to have 
close relationships with their customers, and therefore might have less incentive to protect their 
customers’ privacy. To protect the array of privacy interests identified by its drafters, ECPA offers 
varying degrees of legal protection depending on the perceived seriousness of the privacy interest 
involved. Some information can be obtained from providers with a mere subpoena; other information 
requires a special court order; and still other information requires a search warrant. In theory, the 
greater the privacy interest, the greater the privacy protection. 

Navigating through ECPA requires agents and prosecutors to apply the various classifications 
devised by ECPA's drafters to the facts of each case before they can figure out the proper procedure for 
obtaining the information sought. Eirst, they must classify the network services provider t e.g.. does the 
provider provide “electronic communication service,” “remote computing service,” or neither). Next, 
they must classify the information sought t e.g.. is the information content “in electronic storage,” 
content held by a remote computing service, “a record . . . pertaining to a subscriber,” or basic 
subscriber information). Third, they must determine whether they are seeking to compel disclosure, or 
seeking to accept information disclosed voluntarily by the provider. If they seek compelled disclosure, 
they need to determine whether they need a search warrant, a 2703(d) court order, or a subpoena to 
compel the disclosure. If they are seeking to accept information voluntarily disclosed, they must 
determine whether the statute permits the disclosure. The chart contained in Part E of this chapter 
provides a useful way to apply these distinctions in practice. 

The organization of this chapter will follow ECPA’s various classifications. Part B explains how 
agents and prosecutors can classify providers, so as to distinguish providers of “electronic 
communications service” from providers of “remote computing service.” Part C explains the different 
kinds of information that providers can divulge, such as content “in electronic storage” and “records . . . 
pertaining to a subscriber.” Part D explains the legal process that agents and prosecutors must follow to 
compel a provider to disclose information. Part E looks at the flip side of this problem, and explains 
when providers may voluntarily disclose account information. A summary chart appears in Part E. The 
chapter ends with two additional sections. Part G discusses three important issues that may arise when 
agents obtain records from network providers: steps to preserve evidence, steps to prevent disclosure to 
subjects, and possible conflicts between ECPA and the Cable Act. Einally, Part H discusses the 
remedies that courts may impose following violations of ECPA. 

B. Providers of Electronic Communication Service vs. Remote Computing Service 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 



CCIPSfinal 



Page 64 of 139 



ECPA classifies providers covered by the statute into “provider[s] of electronic communication 
service” and “provider[s] of remote computing service.” To understand these terms, it helps to recall 
the era in which ECPA was drafted. In the mid 1980s, network account holders generally used third- 
party network service providers for two reasons. Eirst, account holders used their accounts to send and 
receive communications such as e-mail. The use of computer networks to communicate prompted 
privacy concerns because in the course of sending and retrieving messages, it was common for several 
computers to copy the messages and store them temporarily. Copies that were created by these 
providers of “electronic communications service” and placed in a temporary “electronic storage” in the 
course of transmission sometimes stayed on a provider’s computer for several months. See H.R. Rep. 
No. 99-647, at 22 (1986). 

The second reason account holders used network service providers was to outsource tasks. Eor 
example, users paid to have remote computers store extra files, or process large amounts of data. When 
users hired such commercial “remote computing services” to perform tasks for them, they would send a 
copy of their private communications to a third-party computing service, which retained the data for 
later reference. Remote computing services raised privacy concerns because the service providers often 
retained copies of their customers' files. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 
3555, 3557. 

ECPA protects communications held by providers of electronic communication service when those 
communications are in “electronic storage,” as well as communications held by providers of remote 
computing service. To that end, the statute defines “electronic communication service,” “electronic 
storage,” and “remote computing service” in the following way: 



“Electronic communication service” 

An electronic communication service (“ECS”) is “any service which provides to users thereof the 
ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15). Eor example, 
“telephone companies and electronic mail companies” generally act as providers of electronic 
communication services. See S. Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3568. 
See .lessup-Morgan v. America Online. Inc. . 20 E. Supp.2d 1105, 1108 (E.D. Mich. 1998) (America 
Online); ETC v. Netscape Communications Corp.. 196 E.R.D. 559 (N.D. Cal. 2000) (Netscape). 

The legislative history and case law construing the definition of ECS indicate that whether a 
company provides ECS is highly contextual. The central issue is the company’s role in providing the 
ability to send or receive the precise communication at issue, regardless of the company’s primary 
business. See H.R. Rep. No. 99-647, at 65 (1986). Any company or government entity that provides 
others with means of communicating electronically can be a “provider of electronic communications 
service” relating to the communications it provides, even if providing communications service is merely 
incidental to the provider’s primary function. See Bohach v. City of Reno. 932 E. Supp. 1232, 1236 (D. 
Nev. 1996) (city that provided pager service to its police officers can be a provider of electronic 
communication service); Eopez v. Eirst Union Naf 1 Bank. 129 E.3d 1186 (11th Cir. 1997) (bank that 
provides electronic funds transfers can be a provider of electronic communication service). Cf. United 
States V. Mullins . 992 E.2d 1472, 1478 (9th Cir. 1993) (airline that provides travel agents with 
computerized travel reservation system accessed through separate computer terminals can be a provider 
of electronic communication service). 

Conversely, a service cannot provide ECS with respect to a communication if the service did not 
provide the ability to send or receive that communication. See Sega Enterprises Etd. v. MAPHIA. 948 E. 
Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private e-mail stored on 
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another company’s bulletin board service in order to expose copyright infringement was not a provider 
of electronic communication service!: State Wide Photocopy v. Tokai Fin. Servs. Inc. 909 F. Supp. 137, 
145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the 
ability to send or receive communications was not provider of electronic communication service). 



“Electronic storage” 

18 U.S.C. § 2510(17) defines “electronic storage” as “any temporary, intermediate storage of a 
wire or electronic communication incidental to the electronic transmission thereof,” and “any storage of 
such communication by an electronic communication service for purposes of backup protection of such 
communication.” The mismatch between the common sense meaning of “electronic storage” and its 
very particular definition has been a source of considerable confusion. It cannot be overemphasized that 
“electronic storage” refers only to temporary storage, made in the course of transmission, by a provider 
of electronic communication service. 

To determine whether a communication is in “electronic storage,” it helps to identify the 
communication’s final destination. A copy of a communication is in “electronic storage” only if it is a 
copy of a communication created at an intermediate point that is designed to be sent on to its final 
destination. For example, e-mail that has been received by a recipient’s service provider but has not yet 
been accessed by the recipient is in electronic storage. See Steve .lackson Games. Inc, v. United States 
Secret Service . 36 F.3d 457, 461 (5th Cir. 1994). At that stage, the copy of the stored communication 
exists only as a temporary and intermediate measure, pending the recipient’s retrieval of the 
communication from the service provider. Once the recipient accesses and retrieves the e-mail, 
however, the communication reaches its final destination. If a recipient then chooses to retain a copy of 
the accessed communication on the provider’s network, the copy stored on the network is no longer in 
“electronic storage” because the retained copy is no longer in “temporary, intermediate storage . . . 
incidental to . . . electronic transmission.” § 2510(17). Because the process of transmission to the 
intended recipient has been completed, the copy is simply a remotely stored file. See H.R. Rep. No. 99- 
647, at 64-65 (1986) (noting Congressional intent to treat opened e-mail stored on a server under 
provisions relating to remote computing services, rather than provisions relating to services holding 
communications in “electronic storage”). 

As a practical matter, whether a communication is held in “electronic storage” by a provider 
governs whether that service provides ECS with respect to the communication. The two concepts are 
coextensive. Only a provider that holds a communication in “electronic storage” can provide ECS with 
respect to that communication. Conversely, any stored file held by a provider of ECS must be in 
“electronic storage.” If a communication is not in “electronic storage,” the service cannot provide ECS 
for that communication. Instead, the service must provide either “remote computing service” (also 
known as “RCS, ’’discussed below), or else neither ECS nor RCS. See discussion infra . 



“Remote computing service” 

The term “remote computing service” (“RCS”) is defined by 18 U.S.C. § 2711(2) as “provision to 
the public of computer storage or processing services by means of an electronic communications 
system.” An “electronic communications system” is “any wire, radio, electromagnetic, photooptical or 
photoelectronic facilities for the transmission of electronic communications, and any computer facilities 
or related electronic equipment for the electronic storage of such communications.” 18 U.S.C. § 2510 
(14). 
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Roughly speaking, a remote computing service is provided by an off -site computer that stores or 
processes data for a customer. See 1986 U.S.C.C.A.N. 3555, 3564-65. For example, a service provider 
that processes data in a time-sharing arrangement provides an RCS. See H.R. Rep. No. 99-647, at 23 
(1986). A mainframe computer that stores data for future retrieval also provides an RCS. See Steve 
Jackson Games. Inc, v. United States Secret Service. 816 F. Supp. 432, 443 (W.D. Tex. 1993) (holding 
that provider of bulletin board services was a remote computing service). In contrast with a provider of 
ECS, a provider of RCS acts in a two -way capacity with the customer. Files held by a provider of RCS 
are not on their way to a third intended destination; instead, they are stored or processed by the provider 
for the convenience of the account holder. Accordingly, files held by a provider acting as an RCS 
cannot be in “electronic storage” according to § 2510(17). 

Under the definition provided by § 271 1(2), a service can only be a “remote computing service” if 
it is available “to the public.” Services are available to the public if they may be accessed by any user 
who complies with the requisite procedures and pays any requisite fees. For example, America Online 
is a provider to the public: anyone can obtain an AOL account. (It may seem odd at first that a service 
can charge a fee but still be considered available “to the public,” but this mirrors commercial 
relationships in the physical world. For example, movie theaters are open “to the public” because 
anyone can buy a ticket and see a show, even though tickets are not free.) In contrast, providers whose 
services are open only to those with a special relationship with the provider are not available to the 
public. For example, employers may offer network accounts only to employees. See Andersen 
Consulting LLP v. UOP . 991 L. Supp. 1041, 1043 (N.D. 111. 1998) (interpreting the “providing ... to the 
public” clause in § 2702(a) to exclude an internal e-mail system that was provided to a hired contractor 
but was not available to “any member of the community at large”). Such providers cannot provide 
remote computing service because their network services are not available to the public. 

• Whether a provider is a provider of “electronic communication service, ” a provider of “remote 
computing service, ” or neither depends on the nature of the particular communication sought. 

For example, a single provider can simultaneously provide “electronic communication service ” 
with respect to one communication and “remote computing service ” with respect to another 
communication. 

An example can illustrate how these principles work in practice. Imagine that Joe sends an e-mail 
from his account at work (“joe@goodcompany.com”) to the personal account of his friend Jane 
(“jane@localisp.com”). The e-mail will stream across the Internet until it reaches the servers of Jane's 
Internet service provider, here the fictional LocallSP. When the message first arrives at LocalISP, 
LocalISP is a provider of ECS with respect to that message. Before Jane accesses LocalISP and 
retrieves the message, Joe's e-mail is in “electronic storage.” See Steve Jackson Games. Inc. v. United 
States Secret Service, 36 L.3d 457, 461 (5th Cir. 1994). Once Jane retrieves Joe's e-mail, she can either 
delete the message from LocallSP’s server, or else leave the message stored there. If Jane chooses to 
store the e-mail with LocalISP, LocalISP is now a provider of RCS with respect to the e-mail sent by 
Joe, not a provider of ECS. The role of LocalISP has changed from a transmitter of Joe’ s e-mail to a 
storage facility for the file on LocallSP’s server. Joe's e-mail is now simply a file stored remotely for 
Jane by an RCS, in this case LocallSP. See H.R. Rep. No. 99-647, at 64-65 (1986) (noting 
Congressional intent to treat opened e-mail stored on a server under provisions relating to remote 
computing services, rather than services holding communications in “electronic storage”). 

Next imagine that Jane responds to Joe's e-mail. Jane's return e-mail to Joe will stream across the 
Internet to the servers of Joe's employer. Good Company. Before Joe retrieves the e-mail from Good 
Company's servers. Good Company is a provider of ECS with respect to Jane's e-mail (just like 
LocalISP was with respect to Joe's original e-mail before Jane accessed it). When Joe accesses Jane's e- 
mail message and the communication reaches its destination (Joe), Good Company ceases to be a 
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provider of ECS with respect to that e-mail (just like LocalISP ceased to be a provider of ECS with 
respect to Joe’s original e-mail when Jane accessed it). Now for a more difficult question: what is the 
status of Good Company if Joe decides to store the opened e-mail on Good Company's server? The 
correct answer is that Good Company is now a provider of neither ECS nor RCS. Good Company does 
not provide RCS because unlike EocalISP, Good Company does not provide services to the public. See 
18 U.S.C. § 2711(2) (“[T]he term ‘remote computing service’ means the provision to the public of 
computer storage or processing services by means of an electronic communications system.”) (emphasis 
added); Andersen Consulting. 991 E. Supp. at 1043. Because Good Company provides neither ECS nor 
RCS with respect to the opened return e-mail in Joe's account, ECPA no longer regulates access to this 
e-mail, and such access is governed solely by the Eourth Amendment. Eunctionally speaking. Good 
Company has 'dropped out' of ECPA with respect to the opened return e-mail in Joe's account. 

Einally, imagine that both Joe and Jane decide to download copies of each other’s e-mails. Jane 
downloads a copy of Joe’ s e-mail from EocalISP’ s server to her personal computer at home, and Joe 
downloads a copy of Jane’s e-mail from Good Company’s server to his office desktop computer at 
work. At this point, ECPA’s treatment of the copies of the e-mails that remain on the servers is 
unchanged: EocalISP continues to provide RCS with respect to the copy of Joe’s e-mail stored in Jane’s 
account on EocalISP’ s server, and Good Company still provides neither RCS nor ECS with respect to 
Jane’s e-mail stored in Joe’s account on Good Company’s server. But what about the copies of the e- 
mails now stored on Jane’s computer at home and Joe’ s desktop computer at work? ECPA governs 
neither. Although these computers contain copies of e-mails, these copies are not stored on the server of 
a third-party provider of RCS or ECS, and therefore ECPA does not apply. Access to the copies of the 
communications stored in Jane’s personal computer at home and Joe’s office computer at work is 
governed solely by the Eourth Amendment. See generally Chapters 1 and 2. 

As this example indicates, a single provider can simultaneously provide RCS with regards to some 
communications, ECS with regard to others, and neither ECS nor RCS with regard to others. As a 
practical matter, however, agents do not need to grapple with these difficult issues in most cases. 

Instead, agents can simply draft the appropriate order based on the information they seek. Eor example, 
if the police suspect that Jane and Joe have conspired to commit a crime, the police might seek an order 
compelling EocalISP to divulge all files in Jane's account except for those in “electronic storage.” In 
plain English, this is equivalent to asking for all of Jane's opened e-mails and stored files. Alternatively, 
the police might seek an order compelling Good Company to disclose files in “electronic storage” in 
Joe's account. This is equivalent to asking for unopened e-mails in Joe's account. A helpful chart 
appears in Part E of this chapter. Sample language that may be used appears in Appendices B, E, and E. 



C. Classifying Types of Information Held by Service Providers 

Network service providers can store different kinds of information relating to an individual 
customer or subscriber. Consider the case of the e-mail exchange between Joe and Jane discussed 
above. Jane's service provider, EocalISP, probably has access to a range of information about Jane and 
her account. Eor example, EocalISP may have opened and unopened e-mails; account logs that reveal 
when Jane logged on and off EocalISP; Jane's credit card information for billing purposes; and Jane's 
name and address. When agents and prosecutors wish to obtain such records, they must be able to 
classify these types of information using the language of ECPA. ECPA breaks the information down 
into three categories: basic subscriber information listed in 18 U.S.C. § 2703(c)(1)(C); “record[s] or 
other information pertaining to a subscriber to or customer of [the] service;” and “contents.” 



1. Basic Subscriber Information Listed in 18 U.S.C. § 2703(c)(1)(C) 
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18 U.S.C. § 2703(c)(1)(C) lists the types of information in the first category: 

the name, address, local and long distance telephone toll billing records, telephone number 
or other subscriber number or identity, and length of service of a subscriber to or customer 
of such service and the types of services the subscriber or customer utilized[.] 

With the exception of “name” and “address,” the categories listed in § 2703(c)(1)(C) can be 
difficult to translate into the present world of computer network accounts. The form and substance of 
the information that providers retain can change rapidly as technology advances. In general, however, 
investigators should resist the temptation to adopt overly broad interpretations of the ambiguous terms in 
§ 2703(c)(1)(C). With one exception, all of the items in this list relate solely to the identity of the 
subscriber and his relationship with the provider. See .lessup-Morgan v. America Online. Inc.. 20 F. 
Supp.2d 1105, 1108 (E.D. Mich. 1998) (describing § 2703(c)(1)(C) information as “information 
identifying an . . . account customer”). The exception, telephone toll billing records, appears on the list 
of basic subscriber information mostly for historical reasons: the items listed in § 2703(c)(1)(C) may be 
obtained with a subpoena, and telephone toll billing records have traditionally been obtained using a 
subpoena. See , e.g . United States v. Cohen . 15 F.R.D. 269, 273 (S.D.N.Y. 1953). While the exact 
contours of § 2703(c)(1)(C) will remain ambiguous until the courts begin interpreting its language, 
investigators should not use this ambiguity to avoid obtaining more rigorous court orders required by 
ECPA to obtain most transactional information. 



2. Records or Other Information Pertaining to a Customer or Subscriber 

18 U.S.C. § 2703(c)(l)(A)-(B) covers a second type of information: “a record or other information 
pertaining to a subscriber to or customer of such service (not including the contents of communications . 

. . . ).” This is a catch-all category that includes all records that are not contents, including basic 
subscriber information. 

Common examples of “record[s] . . . pertaining to a subscriber” include transactional records, such 
as account logs that record account usage; cell-site data for cellular telephone calls; and e-mail addresses 
of other individuals with whom the account holder has corresponded. See H.R. Rep. No. 103-827, at 10, 
17, 31 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, at 3490, 3497, 35 1 1 : United States v. Allen. 53 
M.J. 402, 409 (C.A.A.E. 2000) (concluding that “a log identifying the date, time, user, and detailed 
internet address of sites accessed” by a user constituted “a record or other information pertaining to a 
subscriber or customer of such service” under ECPA). See also Ffi11 v. MCI WorldCom. 120 E. Supp.2d 
1194, 1196 (S.D. Iowa 2000) (concluding that “invoice/billing information and the names, addresses, 
and phone numbers of parties . . . called” constituted “a record or other information pertaining to a 
subscriber or customer of such service” under § 2703(c)(1)(A) for a telephone account). According to 
the legislative history that accompanied § 2703(c)(l)(A)-(B), the purpose of separating the information 
listed in § 2703(c)(1)(C) from other records described in § 2703(c)(l)(A)-(B) was to distinguish basic 
subscriber information from more revealing transactional information that could contain a “person’s 
entire on-line profile.” 1994 U.S.C.C.A.N. at 3497, 3511. 



3. Contents 

The contents of a network account are the actual files stored in the account. See 18 U.S.C. § 2510 
(8) (“‘contents,’ when used with respect to any wire, oral, or electronic communication, includes any 
information concerning the substance, purport, or meaning of that communication”). Eor example. 
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stored e-mails are “contents,” as are word processing files stored in employee network accounts. The 
subject headers of e-mails are also contents, as they often include messages. Cf. Brown v. Waddell. 50 
F.3d 285, 292 (4th Cir. 1995) (noting that numerical pager messages provide “an unlimited range of 
number -coded substantive messages” in the course of holding that the interception of pager messages 
requires compliance with Title III). 

Contents can be further divided into three subcategories: contents stored “in electronic storage” by 
providers of electronic communication service; contents stored by providers of remote computing 
services; and contents stored by providers who provide neither electronic communications service nor 
remote computing service. The distinctions among these types of content are discussed in Part B, supra . 



D. Compelled Disclosure Under ECPA 

The compelled disclosure provisions of ECPA appear in 18 U.S.C. § 2703. Section 2703 
articulates the steps that the government must take to compel providers to disclose the contents of stored 
electronic communications such as e-mail, as well as other information such as account records and 
basic subscriber information. (Notably, § 2703 does not regulate the compelled disclosure of stored 
wire communications, such as stored voicemail. Instead, the compelled disclosure of stored wire 
communications held by a provider is governed by Title III, 18 U.S.C. §§ 2510-22. The distinction 
between wire communications and electronic communications, as well as the reason for treating stored 
wire communications differently than stored electronic communications, is discussed in Chapter 4, Part 
C, Section 2, infra .) 

Section 2703 offers five mechanisms that a “government entity” can use to compel a provider to 
disclose certain kinds of information. Each mechanism requires a different threshold showing. The five 
mechanisms, ranking in ascending order of the threshold showing required, are as follows: 

1) Subpoena 

2) Subpoena with prior notice to the subscriber or customer 

3) § 2703(d) court order 

4) § 2703(d) court order with prior notice to the subscriber or customer 

5) Search warrant 

One feature of the compelled disclosure provisions of ECPA is that greater process generally 
includes access to information that can be obtained with lesser process. Thus, a § 2703(d) court order 
can compel everything that a subpoena can compel (plus additional information), and a search warrant 
can compel the production of everything that a § 2703(d) order can compel (and then some). As a 
result, agents generally can opt to pursue a higher threshold instead of a lower one. The additional work 
required to satisfy a higher threshold will often be justified, both because it can authorize a broader 
disclosure and because pursuing a higher threshold provides extra insurance that the process complies 
fully with the statute. 



1. Subpoena 

• Investigators can subpoena basic subscriber information. 

ECPA permits the government to compel two kinds of information using a subpoena. Eirst, the 
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government may compel the disclosure of the basic subscriber information listed in 18 U.S.C. § 2703(c) 
(1)(C): 

the name, address, local and long distance telephone toll billing records, telephone number 
or other subscriber number or identity, and length of service of a subscriber to or customer 
of such service and the types of services the subscriber or customer utilized[.] 

See 18 U.S.C. § 2703(c)(1)(C). 

Agents can also use a subpoena to obtain information that is outside the scope of ECPA. The 
hypothetical e-mail exchange between Jane and Joe discussed in Part B of this chapter provides a useful 
example. In that example, Joe retrieved Jane’s e-mail from the server of his employer Good Company, 
and opted to retain a copy of the communication on Good Company’s server. At that point. Good 
Company provided neither “remote computing service” nor “electronic communication service” with 
respect to that communication, because the communication had reached its destination and Good 
Company did not provide services to the public. See Part B, supra . Accordingly, § 2703 does not 
impose any requirements on its disclosure, and investigators can issue a subpoena compelling Good 
Company to divulge the communication just as they would if ECPA did not exist. Similarly, 
information relating or belonging to a person who is neither a “customer” nor a “subscriber” is not 
protected by ECPA, and may be obtained using a subpoena according to the same rationale. Cf. 
Organizacion JD Etda. v. United States Department of Justice . 124 E.3d 354, 359-61 (2d Cir. 1997) 
(discussing the scope of the word “customer” as used in ECPA). 

The legal threshold for issuing a subpoena is low. See United States v. Morton Salt Co.. 338 U.S. 
632, 642-43 (1950). Of course, evidence obtained in response to a federal grand jury subpoena must be 
protected from disclosure pursuant to Eed. R. Crim. P. 6(e). Other types of subpoenas other than federal 
grand jury subpoenas may be used to obtain disclosure pursuant to 18 U.S.C. § 2703(c)(1)(C): any 
federal or state grand jury or trial subpoena will suffice, as will an administrative subpoena authorized 
by a federal or state statute. See 18 U.S.C. § 2703(c)(1)(C). Eor example, subpoenas authorized by § 6 
(a)(4) of the Inspector General Act may be used. See 5 U.S.C. app. However, at least one court has held 
that a pre-trial discovery subpoena issued in a civil case pursuant to Eed. R. Civ. P. 45 is inadequate. See 
PTC V. Netscape Communications Corp.. 196 P.R.D. 559 (N.D. Cal. 2000). Sample subpoena language 
appears in Appendix E . 



2. Subpoena with Prior Notice to the Subscriber or Customer 

• Investigators can subpoena opened e-mail from a provider if they comply with the notice 
provisions of§ 2703(b)(1)(B) and § 2705. 

Agents who obtain a subpoena, and either give prior notice to the subscriber or else comply with 
the delayed notice provisions of § 2705, may obtain: 

1) everything that can be obtained using a subpoena without notice; 

2) “the contents of any electronic communication” held by a provider of remote computing 
service “on behalf of ... a customer or subscriber of such remote computing service.” 18 
U.S.C. § 2703(b)(l)(B)(i), § 2703(b)(2); and 

3) “the contents of any electronic communication that has been in electronic storage in an 
electronic communications system for more than one hundred and eighty days.” 18 U.S.C. § 
2703(a). 
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As a practical matter, this means that agents can obtain opened e-mail and other stored electronic 
communications not in electronic storage 180 days or less using a subpoena, so long as they comply 
with ECPA's notice provisions. See H.R. Rep. No. 99-647, at 64-65 (1986). 

In general, the notice provisions can be satisfied by giving the customer or subscriber “prior 
notice” of the disclosure. See 18 U.S.C. § 2703(b)(1)(B). However, 18 U.S.C. § 2705(a)(1)(B) and § 
2705(a)(4) permit notice to be delayed for successive 90-day periods “upon the execution of a written 
certification of a supervisory official that there is reason to believe that notification of the existence of 
the subpoena may have an adverse result.” 18 U.S.C. § 2705(a)(1)(B). Both “supervisory official” and 
“adverse result” are specifically defined terms for the purpose of delaying notice. See § 2705(a)(2) 
(defining “adverse result”); § 2705(a)(6) (defining “supervisory official”). Although prior notice serves 
important constitutional values, this provision of ECPA provides a permissible way for agents to delay 
notice when notice would jeopardize a pending investigation or endanger the life or physical safety of an 
individual. Cf. United States v. Donovan . 429 U.S. 413, 429 n. 19 (1977) (noting that delayed notice 
provisions of Title III “satisfy constitutional requirements.”) Upon expiration of the delayed notice 
period, the statute requires the government to send a copy of the request or process along with a letter 
explaining the delayed notice to the customer or subscriber. See 18 U.S.C. § 2705(a)(5). 

ECPA’s provision allowing for opened e-mail to be obtained using a subpoena combined with 
prior notice to the subscriber appears to derive from Supreme Court case law interpreting the Eourth and 
Eifth Amendments. See Clifford S. Eishman & Anne T. McKenna . Wiretapping and Eavesdropping § 
26:9, at 26-12 (2d ed. 1995). When an individual gives paper documents to a third-party such as an 
accountant, the government may subpoena the paper documents from the third party without running 
afoul of either the Eourth or Eifth Amendment. See United States v. Couch . 409 U.S. 322 (1973) 
(rejecting Eourth and Eifth Amendment challenges to subpoena served on defendant’s accountant for the 
accountant’s business records stored with the accountant). In allowing the government to subpoena 
opened e-mail, “Congress seems to have concluded that by ‘renting’ computer storage space with a 
remote computing service, a customer places himself in the same situation as one who gives business 
records to an accountant or attorney.” Eishman & McKenna, §26:9, at 26-13. 



3. Section 2703(d) Order 

• Agents need a § 2703(d) court order to obtain account logs and other transactional records. 
Agents who obtain a court order under 18 U.S.C. § 2703(d) may obtain: 

1) anything that can be obtained using a subpoena without notice; and 

2) all “record[s] or other information pertaining to a subscriber to or customer of such 
service (not including the contents of communications [held by providers of electronic 
communications service and remote computing service]).” 18 U.S.C. § 2703(c)(1)(B). 

A court order authorized by 18 U.S.C. § 2703(d) may be issued by any federal magistrate, district 
court or equivalent state court judge. See 18 U.S.C. § 2703(d). To obtain such an order, known as an 
“articulable facts” court order or simply a “d” order, 

the governmental entity [must] offer[] specific and articulable facts showing that there are 
reasonable grounds to believe that the contents of a wire or electronic communication, or 
the records or other information sought, are relevant and material to an ongoing criminal 
investigation. 
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This standard does not permit law enforcement merely to certify that it has specific and articulable 
facts that would satisfy such a showing. Rather, the government must actually offer those facts to the 
court in the application for the order. See United States v. Kennedy. 81 F. Supp.2d 1103, 1109-11 (D. 
Kan. 2000) (concluding that a conclusory application for a § 2703(d) order “did not meet the 
requirements of the statute.”). The House Report that accompanied the passage of § 2703(d) included 
the following analysis: 

This section imposes an intermediate standard to protect on-line transactional records. It is a 
standard higher than a subpoena, but not a probable cause warrant. The intent of raising the 
standard for access to transactional data is to guard against “fishing expeditions” by law 
enforcement. Under the intermediate standard, the court must find, based on law 
enforcement's showing of facts, that there are specific and articulable grounds to believe 
that the records are relevant and material to an ongoing criminal investigation. 

H.R. Rep. No. 102-827, at 31 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, 3511 (quoted in full in 
Kennedy . 81 F. Supp.2d at 1 109 n.8). As a practical matter, a one- to three-page factual summary of the 
investigation and the role that the records will serve in advancing the investigation usually satisfies this 
criterion. A more in-depth explanation may be necessary in particularly complex cases. A sample § 
2703(d) application and order appears in Appendix B. 

Section 2703(d) orders are nationwide in scope, much like subpoenas. ECPA permits judges to 
enter § 2703(d) orders compelling providers to disclose information even if the judges do not sit in the 
district in which the information is stored. See 18 U.S.C. § 2703(d) (stating that “any court that is a 
court of competent jurisdiction described in [18 U.S.C.] section 3127(2)(A)” may issue a § 2703(d) 
order) (emphasis added); 18 U.S.C. § 3127(2)(A) (defining “court of competent jurisdiction” as “a 
district court of the United States (including a magistrate of such a court) or a United States Court of 
Appeals”). In contrast, the statutes and rules governing search warrants. Title III orders, and pen/trap 
orders contain express geographical limitations. See Fed. R. Crim. P. 41(a) (permitting magistrate 
judges to issue search warrants “for a search of property . . . within the district”); 18 U.S.C. § 2518(3) 
(authorizing judges to enter a Title III order permitting the interception of communications “within the 
territorial jurisdiction of the court in which the judge is sitting”); 18 U.S.C. § 3123(a) (authorizing courts 
to permit the installation of pen/trap devices “within the jurisdiction of the court”). 



4. § 2703(d) Order with Prior Notice to the Suhscriher or Customer 

• Investigators can obtain everything in an account except for unopened e-mail stored with the ISP 
for 180 days or less and voicemail using a § 2703(d) court order that complies with the notice 
provisions. 

Agents who obtain a court order under 18 U.S.C. § 2703(d), and either give prior notice to the 
subscriber or else comply with the delayed notice provisions of § 2705, may obtain: 



1) everything that can be obtained using a § 2703(d) court order without notice; and 

2) “the contents of any electronic communication” held by a provider of remote computing 
service “on behalf of ... a customer or subscriber of such remote computing service.” 18 
U.S.C. § 2703(b)(l)(B)(ii), § 2703(b)(2). 
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As a practical matter, this means that the government can obtain the full contents of a subscriber's 
account except unopened e-mail (which has been in “electronic storage” 180 days or less) using a § 
2703(d) order that complies with the prior notice provisions of § 2703(b)(1)(B). 

Although prior notice serves important constitutional values, agents can obtain an order delaying 
notice for up to ninety days when notice would seriously jeopardize the investigation. See 18 U.S.C. § 
2705(a). In such cases, agents generally will obtain this order by including an appropriate request in the 
agents’ 2703(d) application and proposed order; sample language appears in Appendix B . Agents may 
also apply for successive renewals of the delayed notice, but must apply to the court for extensions. See 
18 U.S.C. § 2705(a)(1)(A), § 2705(a)(4). The legal standards for obtaining a court order delaying notice 
mirror the standards for certified delayed notice by a supervisory official. The applicant must satisfy the 
court that “there is reason to believe that notification of the existence of the court order may . . . 
endanger[] the life or physical safety of an individual; [lead to] flight from prosecution; [lead to] 
destruction of or tampering with evidence; [lead to] intimidation of potential witnesses; or . . . otherwise 
seriously jeopardiz[e] an investigation or unduly delay[] a trial.” 18 U.S.C. § 2705(a)(1)(A), § 2705(a) 
(2). Importantly, the applicant must satisfy this standard anew every time the applicant seeks an 
extension of the delayed notice. 



5. Search Warrant 

• Investigators can obtain the full contents of an account (except for voicemail in “electronic 
storage ”) with a search warrant. ECPA does not require the government to notify the customer 
or subscriber when it obtains information from a provider using a search warrant. 

Agents who obtain a search warrant under Rule 41 of the Federal Rules of Criminal Procedure or 
an equivalent state warrant may obtain: 

1) everything that can be obtained using a § 2703(d) court order with notice; and 

2) “the contents of an electronic communication, that is in electronic storage in an 
electronic communications system for one hundred and eighty days or less.” 18 U.S.C. § 

2703(a). 

In other words, agents can obtain every record and all of the contents of an account (except for 
voicemail in “electronic storage,” see Chapter 4, Part C, Section 2, infra . 1 by obtaining a search warrant 
based on probable cause pursuant to Fed. R. Crim. P. 41. The search warrant can then be served on the 
service provider and compels the provider to divulge the information described in the search warrant to 
law enforcement. Notably, obtaining a search warrant obviates the need to comply with the notice 
provisions of § 2705. See 18 U.S.C. § 2703(b)(1)(A). Moreover, because the warrant is issued by a 
neutral magistrate based on probable cause, obtaining a search warrant effectively insulates the process 
from challenge under the Fourth Amendment. 

As a practical matter, § 2703(a) search warrants are obtained just like Rule 41 search warrants, but 
are usually served like subpoenas. As with a typical Rule 41 warrant, investigators must draft an 
affidavit and a proposed warrant that complies with Rule 41. See 18 U.S.C. § 2703(a). Once a 
magistrate judge signs the warrant, however, investigators ordinarily do not themselves search through 
the provider’s computers in search of the materials described in the warrant. Instead, investigators bring 
the warrant to the provider, and the provider produces the material described in the warrant. 
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E. Voluntary Disclosure 

The voluntary disclosure provisions of ECPA appear in 18 U.S.C. § 2702 and § 2703(c). These 
statutes govern when a provider of RCS or ECS can disclose contents and other information voluntarily, 
both to the government and non-government entities. If the provider may disclose the information to the 
government and is willing to do so voluntarily, law enforcement ordinarily does not need to obtain a 
legal order to compel the disclosure. If the provider either may not or will not disclose the information, 
agents must comply with the compelled disclosure provisions and obtain the appropriate legal orders. 



1. Contents 

• Providers of services not available “to the public ” may freely disclose the contents of stored 
communications. Providers of services to the public may disclose the contents of stored 
communications only in certain situations. 

When considering whether a provider of RCS or ECS can disclose contents, the first question 
agents must ask is whether the services offered by the provider are available “to the public.” If the 
provider does not provide services “to the public,” then ECPA does not place any restrictions on the 
disclosure of contents. See 18 U.S.C. § 2702(a). Eor example, in Andersen Consulting v. UOP. 991 E. 
Supp. 1041 (N.D. 111. 1998), the petroleum company UOP hired the consulting firm Andersen 
Consulting and gave Andersen employees accounts on UOP's computer network. After the relationship 
between UOP and Andersen soured, UOP disclosed to the Wall Street Journal e-mails that Andersen 
employees had left on the UOP . Andersen sued, claiming that the disclosure of its contents by the 
provider UOP had violated ECPA. The district court rejected the suit on the ground that UOP did not 
provide an electronic communications service to the public: 

[Gjiving Andersen access to [UOP's] e-mail system is not equivalent to providing e-mail to 
the public. Andersen was hired by UOP to do a project and as such, was given access to 
UOP's e-mail system similar to UOP employees. Andersen was not any member of the 
community at large, but a hired contractor. 

Id. at 1043. Because UOP did not provide services to the public, ECPA did not prohibit disclosure of 
contents. 

If the services offered by the provider are available to the public, then ECPA forbids the disclosure of 
contents unless: 



1) the disclosure “may be necessarily incident to the rendition of the service or to the 
protection of the rights or property of the provider of that service,” § 2702(b)(5); 

2) the disclosure is made “to a law enforcement agency ... if the contents . . . were 
inadvertently obtained by the service provider . . .[and] appear to pertain to the commission 
of a crime,” § 2702(b)(6)(A); 

3) the Child Protection and Sexual Predator Punishment Act of 1998, 42 U.S.C. § 13032, 
mandates the disclosure, 18 U.S.C. § 2702(b)(6)(B); or 

4) the disclosure is made to the intended recipient of the communication, with the consent 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 




CCIPSfinal 



Page 75 of 139 



of the intended recipient, to a forwarding address, or pursuant to a court order. 18 U.S.C. § 
2702(b)(lH4). See 18 U.S.C. § 2702. 



In general, these exceptions permit disclosure by a provider to the public when the needs of public 
safety and service providers outweigh privacy concerns of customers, or else when disclosure is unlikely 
to pose a serious threat to privacy interests. 



2. Records Other than Contents 

• The rules for disclosure of non-content records to the government remain hazy. 

Whether a provider of RCS or ECS can disclose non-content records depends first on who will 
receive the disclosure. ECPA permits providers to disclose “record[s] or other information pertaining to 
a subscriber to or customer of such service” voluntarily to anyone outside of the government for any 
reason. 18 U.S.C. § 2703(c)(1)(A). The rules permitting the disclosure of non-content records to a 
government entity are considerably more narrow, however. Eor this reason, agents should be extremely 
careful when communicating with network service providers in an undercover capacity so as not to 
violate ECPA. Eikewise, when they are not in an undercover capacity, agents should clearly identify 
themselves as law enforcement agents. 

On its face, 18 U.S.C. § 2703(c)(1)(B) authorizes the disclosure of “record[s] or other information 
pertaining to a subscriber to or customer of such service” to a government entity only when the 
government obtains a warrant or § 2703(d) order, the customer or subscriber consents, or the 
government submits a formal written request in a telemarketing fraud investigation. 18 U.S.C. § 2703(c) 
(1)(B). Read broadly, this might appear to prohibit service providers from disclosing account logs and 
basic subscriber information voluntarily. Such a result would defy common sense in many recurring 
situations, however. Eor example, a network provider that is being defrauded by a customer or 
subscriber often contacts law enforcement seeking to disclose records of the misuse. This is true both 
for government providers such as NASA and DoD and for private providers such as corporations and 
universities. A broad reading of 18 U.S.C. § 2703(c)(l)(B)'s prohibition could prohibit these providers 
from taking the natural step of disclosing records of the abuse when they are victims. Under this 
reading, the provider would be forced to contact law enforcement, and then law enforcement would have 
to obtain a § 2703(d) order to “compel” the provider to disclose the records. 

There are several reasons to believe that courts will not adopt such a broad reading of § 2703(c)(1) 
(B), and will permit providers to disclose non-content records when necessary to protect the rights and 
property of the provider. Eirst, courts may rule that the “protection of the rights or property of the 
provider” exception that expressly permits providers to disclose stored contents and intercept 
communications in transit impliedly covers the disclosure of less sensitive non-content records. See 18 
U.S.C. § 2702(b)(5), § 25 1 l(2)(a)(i). The courts have made similar rulings in the context of Title III and 
its predecessor statute in order to recognize providers’ “fundamental right to take reasonable measures to 
protect themselves and their properties against the illegal acts of a trespasser.” Bubis v. United States . 
384 E.2d 643, 647-648 (9th Cir. 1967) (rejecting a literal interpretation of 47 U.S.C. § 605, the 
predecessor to Title III, that would have left communications system providers “powerless to take 
reasonable measures to protect themselves and their properties against the improper and illegal use of 
their facilities.”); United States v. Auler. 539 E.2d 642, 646 n.9 (7th Cir. 1976) (stating that when 
intercepting the contents of a communication is permitted under Title III, then recording mere pen 
register/ trap and trace information relating to the same communication is “surely permissible”) (citing 
United States v. Ereeman . 524 E.2d 337, 341 (7th Cir. 1975)). 
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Provider disclosure of non-content records may also be justified in specific situations. For 
example, a computer hacker who does not have a legitimate account is not a “customer” or “subscriber” 
of the provider, so that the provider should be able to disclose records “pertaining to” the intruder's 
activity without running afoul of ECPA. CF Organizacion .ID Ltda. v. United States Department of 
■lustice. 124 F.3d 354, 359-61 (2d Cir. 1997) (concluding that a recipient of an electronic funds transfer 
is not a “customer” of the bank who provided the transfer according to ECPA, where the recipient did 
not have a legitimate account with the bank). Similarly, the structure of § 2703(c)(l)(A)-(B) suggests 
that the prohibition on disclosure of non-contents to “a government entity” might not apply to 
disclosures among government entities. Einally, if the provider does not offer services “to the public,” 
the provider cannot be a provider of RCS. If the records do not pertain to communications in “electronic 
storage,” ECPA may not regulate the provider's disclosure of the records. 

The rules for voluntary disclosure of records to the government will remain hazy until the courts 
begin interpreting § 2703(c), or until Congress changes the language of the statute. Until that time, 
agents should be aware that some courts might rule that voluntary disclosure of records to the 
government will violate ECPA even when there are weighty concerns supporting the disclosure. Of 
course, agents can avoid this defect by obtaining a § 2703(d) order, search warrant, or the consent of the 
customer or subscriber. 

F. Quick Reference Guide 



Quick Reference Guide 


Voluntary Disclosure 
Allowed? 


Mechanisms to Compel 
Disclosure 


Public 

Provider 


Non- Public 
Provider 


PublicProvider 


Non- Public 
Provider 


Unopened 

e-mail 

(in electronic storage 180 
days or less) 


No, unless 
§ 2702(b) 
exception 
applies 

[§ 2702(a)(1)! 


Yes 

[§ 2702(a)(1)] 


Search warrant 
[§ 2703(a)] 


Search warrant 
[§ 2703(a)] 


Unopened 

e-mail 

(in electronic storage 
more than 180 days) 


No, unless 
§ 2702(b) 
exception 
applies 

[§ 2702(a)(1)] 


Yes 

[§ 2702(a)(1)] 


Subpoena with 
notice; 2703(d) 
order with notice; 
or search warrant 

[§ 2703(a,b)] 


Subpoena with 
notice; 2703(d) 
order with 
notice; or search 
warrant 

[§ 2703(a,b)] 


Opened e-mail, and other 
stored files 


No, unless 
§ 2702(b) 
exception 
applies 

[§ 2702(a)(2)] 


Yes 

[§ 2702(a)(2) 
and 

§2711(2)] 


Subpoena with 
notice; 2703(d) 
order with notice; 
or search warrant 

[§ 2703(b)] 


Subpoena; 
ECPA doesn’t 
apply [§ 2711 
(2)] 


Basic subscriber 
information 


No, 

although 
exceptions may 
exist* [§ 2703 
(c)] 


No, 

although 
exceptions may 
exist* 


Subpoena; 2703 
(d) order; or 
search warrant 


Subpoena; 2703 
(d) order; or 
search warrant 




[§ 2703(c)] 


[§ 2703(c)(1) 
(C)] 


[§ 2703(c)(1) 
(C)] 
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[§2711(2)1 


Transactional and other 
account records 


No, 

although 
exceptions may 
exist* 

r§ 2703 (c)1 


No, 

although 
exceptions may 
exist* 

r§ 2703 (c)1 


2703(d) order or 
search warrant[§ 
2703(c)(1)(B)] 


2703(d) order or 
search warrant 

[§ 2703(c)(1) 

m 



* See the discussion in Part E(2) above. 



G. Working with Network Providers: Preservation of Evidence, Preventing Disclosure to Subjects, 
and Cable Act Issues 

• In general, investigators should communicate with network service providers before issuing 
subpoenas or obtaining court orders that compel the providers to disclose information. 

Law enforcement officials who procure records under ECPA quickly learn the importance of 
communicating with network service providers. This is true because every network provider works 
differently. Some providers retain very complete records for a long period of time; others retain few 
records, or even none. Some providers can comply easily with law enforcement requests for 
information; others struggle to comply with even simple requests. These differences are due to varied 
philosophies, resources, hardware and software among network service providers. Because of these 
differences, agents often will want to communicate with network providers to learn how the provider 
operates before obtaining a legal order that compels the provider to act. 

ECPA contains two provisions designed to aid law enforcement officials working with network 
service providers. When used properly, these provisions help ensure that providers will not delete 
needed records or notify others about the investigation. 



1. Preservation of Evidence under 18 U.S.C. § 2703(f) 

• Agents may make binding requests to providers that they preserve existing records pending the 
issuance of more formal legal process. Such requests have no prospective effect, however. 

In general, no law regulates how long network service providers must retain account records in the 
United States. Some providers retain records for months, others for hours, and others not at all. As a 
practical matter, this means that evidence may be destroyed or lost before law enforcement can obtain 
the appropriate legal order compelling disclosure. Eor example, agents may learn of a child 
pornography case on Day 1, begin work on a search warrant on Day 2, obtain the warrant on Day 5, and 
then learn that the network service provider deleted the records in the ordinary course of business on 
Day 3. To minimize this risk, ECPA permits the government to direct providers to “freeze” stored 
records and communications pursuant to 18 U.S.C. § 2703(f). Specifically, § 2703(f)(1) states: 

A provider of wire or electronic communication service or a remote computing service, 
upon the request of a governmental entity, shall take all necessary steps to preserve records 
and other evidence in its possession pending the issuance of a court order or other process. 

Section 2703(f) permits law enforcement agents to contact providers and make a binding request 
directing the provider to preserve records they have in their possession. While a simple phone call 
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should be adequate, a fax or an e-mail is better because it both provides a paper record and guards 
against miscommunication. Upon receipt of the government’ s request, the provider must retain the 
records for 90 days, renewable for another 90-day period upon a renewed government request. See 18 
U.S.C. § 2703(f)(2). A sample 2703(f) letter appears in Appendix C . 

Agents who send 2703(f) letters to network service providers should be aware of two limitations. 
First, the authority to direct providers to preserve records and other evidence is not prospective. That is, 
§ 2703(f) letters can order a provider to preserve records that have already been created, but cannot 
order providers to preserve records not yet made. Agents cannot use § 2703(f) prospectively as an “end 
run” around the electronic surveillance statutes. If agents want providers to record information about 
future electronic communications, they must comply with the electronic surveillance statutes discussed 
in Chapter 4. 

A second limitation of § 2703(f) is that some providers may be unable to comply effectively with § 
2703(f) requests. As of the time of this writing, for example, the software used by America Online 
generally requires AOL to reset the password of an account when it attempts to comply with a § 2703(f) 
request to preserve stored e-mail. A reset password may well tip off the suspect. As a result, agents 
may or may not want to issue 2703(f) letters to AOL or other providers who use similar software, 
depending on the facts. The key here is effective communication: agents should communicate with the 
network provider before ordering the provider to take steps that may have unintended adverse effects. 
Agents simply cannot make informed investigative choices without knowing the provider's particular 
practices, strengths, and limitations. 



2. Orders Not to Disclose the Existence of a Warrant, Subpoena, or Court Order 

18 U.S.C. § 2705(b) states: 

A governmental entity acting under section 2703, when it is not required to notify the 
subscriber or customer under section 2703(b)(1), or to the extent that it may delay such 
notice pursuant to subsection (a) of this section, may apply to a court for an order 
commanding a provider of electronic communications service or remote computing service 
to whom a warrant, subpoena, or court order is directed, for such period as the court deems 
appropriate, not to notify any other person of the existence of the warrant, subpoena, or 
court order. The court shall enter such an order if it determines that there is reason to 
believe that notification of the existence of the warrant, subpoena, or court order will result 
in— 

(1) endangering the life or physical safety of an individual; 

(2) flight from prosecution; 

(3) destruction of or tampering with evidence; 

(4) intimidation of potential witnesses; or 

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial. 



18 U.S.C. § 2705(b). 

This language permits agents to apply for a court order directing network service providers not to 
disclose the existence of compelled process whenever the government itself has no legal duty to notify 
the customer or subscriber of the process. If the relevant process is a § 2703(d) order or warrant, agents 
can simply include appropriate language in the application and proposed § 2703(d) order or warrant. If 
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agents instead seek to compel information using a subpoena, they must apply separately for this order. 



3. Possible Conflicts with the Cable Act, 47 U.S.C. § 551 

Prosecutors and agents should be aware of the potential conflict between § 2703(c)(1) and the 
Cable Subscriber Privacy Act (“the Cable Act”), 47 U.S.C. § 551, when seeking records from a network 
service provider that happens also to be a cable television provider. When Congress passed the Cable 
Act in 1984 and ECPA in 1986, the two statutory regimes coexisted peacefully. The Cable Act offered 
privacy rights for cable television subscribers relating to their cable television service, and ECPA 
offered privacy rights to Internet users relating to their Internet service. Today these two services often 
converge: many cable providers deliver high-speed Internet access over cable lines. These providers 
occasionally have expressed the belief that their provision of Internet service is governed by the Cable 
Act rather than ECPA. See , e.g. . In Re Application of the United States for an Order Pursuant to 18 
U.S.C. 2703tdl . 36 E. Supp.2d 430 (D. Mass. 1999). This can prove troublesome for law enforcement, 
because the Cable Act permits the government to obtain “personally identifiable information concerning 
a cable subscriber” only by overcoming a heavy burden of proof at an in -court adversary proceeding. 47 
U.S.C. § 551(h). Such an adversary proceeding would not only tip-off the suspect of the investigation, 
but would require the government to inform the suspect of the evidence the government has linking the 
suspect to the criminal activity. See id. Needless to say, such a rule would block government 
investigations in most if not all cases. 

Properly construed, the Cable Act should not conflict with ECPA because the two statutes regulate 
different services. The Cable Act regulates the provision of cable television service, see. H.R. Rep. 98- 
934, at 2 (1984), reprintedin 1984 U.S.C.C.A.N. 4655, 4656, and ECPA regulates the provision of 
Internet service. When a cable company provides Internet service, it should be bound by the rules that 
apply to the provision of Internet service, not the rules that apply to cable television. Cable providers 
should not be exempt from ECPA merely because they happen to provide their Internet service over 
cable lines. A contrary result would permit privacy rights to hinge upon the corporate identity of the 
provider and the means by which it provided the service. This approach would frustrate the design of 
both the Cable Act and ECPA to establish uniform national standards for each type of service. 
Accordingly, 18 U.S.C. § 2703(c) governs compelled access to records belonging to cable Internet 
providers, rather than 47 U.S.C. § 551(h). 

Prosecutors and agents who encounter this issue can contact the Computer Crime and Intellectual 
Property Section at (202) 514-1026 or their local CTC for additional advice. 



H. Remedies 

I. Suppression 

ECPA does not provide a suppression remedy. See 18 U.S.C. § 2708 (“The [damages] remedies 
and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional 
violations of this chapter.”). Accordingly, nonconstitutional violations of ECPA do not result in 
suppression of the evidence. See United States v. Smith. 155 E.3d 1051, 1056 (9th Cir. 1998) (“[T]he 
Stored Communications Act expressly rules out exclusion as a remedy”); United States v. Kennedy. 81 
E. Supp.2d 1103, 1110 (D. Kan. 2000) (“[Sjuppression is not a remedy contemplated under the 
ECPA.”); United States v. Hambrick. 55 E. Supp.2d 504, 507 (W.D. Va. 1999) (“Congress did not 
provide for suppression where a party obtains stored data or transactional records in violation of the 
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Act”), affd. 225 F.3d 656, 2000 WL 1062039 (4th Cir. 2000); United States v. Charles. 1998 WL 
204696, at *21 (D. Mass. 1998) (“ECPA provides only a civil remedy for a violation of § 2703"); United 
States V. Reyes. 922 F. Supp. 818, 837-38 (S.D.N.Y. 1996) (“Exclusion of the evidence is not an 
available remedy for this violation of the ECPA. . . . The remedy for violation of [18 U.S.C. § 2701-11] 

13 

lies in a civil action.”). — 

Defense counsel seeking suppression of evidence obtained in violation of ECPA are likely to rely 
on McVeigh v. Cohen. 983 F. Supp. 215 (D.D.C. 1998). In this unusual case. Judge Sporkin enjoined 
the United States Navy from dismissing 17-year Navy veteran Timothy R. McVeigh after the Navy 
learned that McVeigh was gay. The Navy learned of McVeigh's sexual orientation after McVeigh sent 
an e-mail signed “Tim” from his AOE account “boysrch” to the AOE account of a civilian Navy 
volunteer. When the volunteer examined AOE's “member profile directory,” she learned that “boysrch” 
belonged to a man in the military stationed in Honolulu who listed his marital status as “gay.” 

Suspecting that the message was from McVeigh, the volunteer forwarded the e-mail and directory 
profile to officers aboard McVeigh's submarine. The officers then began investigating McVeigh's 
sexual orientation. To confirm McVeigh's identity, a Navy paralegal telephoned AOE and offered a 
false story for why he needed the real name of “boysrch.” The paralegal did not disclose that he was a 
Naval serviceman. After the AOE representative confirmed that “boysrch” belonged to McVeigh’ s 
account, the Navy began a discharge proceeding against McVeigh. Shortly before McVeigh's discharge 
was to occur, McVeigh filed suit and asked for a preliminary injunction blocking the discharge. Judge 
Sporkin granted McVeigh's motion the day before the discharge. 

Judge Sporkin's opinion reflects both the case's highly charged political atmosphere and the press 

of events surrounding the issuance of the opinion.— In the course of criticizing the Navy for 
substituting subterfuge for ECPA's legal process to obtain McVeigh's basic subscriber information from 
AOE, Judge Sporkin made statements that could be interpreted as reading a suppression remedy into 
ECPA for flagrant violations of the statute: 

[I]t is elementary that information obtained improperly can be suppressed where an 
individual's rights have been violated. In these days of 'big brother,' where through 
technology and otherwise the privacy interests of individuals from all walks of life are being 
ignored or marginalized, it is imperative that statutes explicitly protecting these rights be 
strictly observed. 

Id. at 220. While ECPA should be strictly observed, the statement that suppression is appropriate when 
information is obtained in violation of “an individual's rights” is somewhat perplexing. Both the case 
law and the text of ECPA itself make clear that ECPA does not offer a suppression remedy for 
nonconstitutional violations. Accordingly, this statement must be construed to refer only to 
constitutional rights. 

2. Civil Actions 

Although ECPA does not provide a suppression remedy for statutory violations, it does provide for 
civil damages (including, in some cases, punitive damages), as well as the prospect of disciplinary 
actions against officers and employees of the United States who may have engaged in willful violations. 
18 U.S.C. § 2707 permits a “person aggrieved” by an ECPA violation to bring a civil action against the 
“person or entity which engaged in that violation.” 18 U.S.C. § 2707(a). Relief can include money 
damages no less than $1,000 per person, equitable or declaratory relief, and a reasonable attorney's fee 
plus other reasonable litigation costs. Willful or intentional violations can also result in punitive 
damages, see § 2707(b)-(c), and employees of the United States may be subject to disciplinary action 
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for willful or intentional violations. See § 2707(d). A good faith reliance on a court order or warrant, 
grand jury subpoena, legislative authorization, or statutory authorization provides a complete defense to 
any ECPA civil or criminal action. See § 2707(e). Qualified immunity may also be available. See 
Chapter 4, Part D, Sec. 2. 

At least one court has held that a government entity cannot be held liable for obtaining 
information from a network service provider in violation of 18 U.S.C. § 2703(c). In Tucker v. Waddell. 
83 F.3d 688 (4th Cir. 1996), Durham, North Carolina police officers obtained a subscriber's account 
records using an unauthorized subpoena in violation of § 2703(c)(1)(C). The subscriber sued the City of 
Durham and the officers, seeking damages. The Fourth Circuit rejected the suit, reasoning that § 2703 
(c) imposed duties on providers of FCS and RCS, but not government entities seeking information from 
such providers. See id. at 691-93. Accordingly, the government could not be sued for violating § 2703 
(c) unless it aided and abetted or conspired in the provider's violation. See id. at 693, 693 n.6. Notably, 
however, even the Tucker court agreed that the government could be held liable for violating § 2703(a) 
or § 2703(b). See id. at 693. 



IV. ELECTRONIC SURVEILLANCE IN COMMUNICATIONS NETWORKS 



A. Introduction 

Computer crime investigations often involve electronic surveillance. Agents may want to monitor 
a hacker as he breaks into a victim computer system, or set up a “cloned” e-mail box to monitor a 
suspect sending or receiving child pornography over the Internet. In a more traditional context, agents 
may wish to wiretap a suspect’s telephone, or learn whom the suspect has called, and when. This 
chapter explains how the electronic surveillance statutes work in criminal investigations involving 
computers. 

Two federal statutes govern real-time electronic surveillance in federal criminal investigations. 
The first and most important is the wiretap statute, 18 U.S.C. §§ 2510-22, first passed as Title III of the 
Omnibus Crime Control and Safe Streets Act of 1968 (and generally known as “Title III”). The second 
statute is the Pen Registers and Trap and Trace Devices chapter of Title 18 (“the Pen/Trap statute”), 18 
U.S.C. §§ 3121-27, which governs pen registers and trap and trace devices. Failure to comply with 
these statutes may result in civil and criminal liability, and in the case of Title III, may also result in 
suppression of evidence. 

• In general, the Pen/Trap statute regulates the collection of addressing information for wire and 
electronic communications. Title III regulates the collection of actual content for wire and 
electronic communications. 

Title III and the Pen/Trap statute coexist because they regulate access to different types of 
information. Title III permits the government to obtain the contents of wire and electronic 
communications in transmission. In contrast, the Pen/Trap statute concerns the collection of mere 
addressing information relating to those communications. See United States Telecom Ass’n v. FCC. 
227 F.3d 450, 454 (D.C. Cir. 2000); Brown v. Waddell. 50 F.3d 285, 289-93 (4th Cir. 1995) 
(distinguishing pen registers from Title III intercept devices). The difference between addressing 
information and content is clear in the case of traditional communications such as telephone calls. The 
addressing information for a telephone call is the phone number dialed for an outgoing call, and the 
originating number (the caller ID information) for an incoming call. In contrast, the content of the 
communication is the actual conversation between the two parties to the call. 
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The distinction between addressing information and content also applies to Internet 
communications. For example, when computers attached to the Internet communicate with each other, 
they break down messages into discrete chunks known as “packets,” and then send each packet out to its 
intended destination. Every packet contains addressing information in the “header” of the packet (much 
like the “to” and “from” addresses on an envelope), followed by the content of the message (much like a 
letter inside an envelope). The Pen/Trap statute permits law enforcement to obtain the addressing 
information of Internet communications much as it would addressing information for traditional phone 
calls. See 18 U.S.C. § 3127(4) (defining “trap and trace device” broadly as “a device which captures the 
incoming electronic or other impulses which identify the originating number of an instrument or device 
from which a wire or electronic communication was transmitted”). However, reading the entire packet 
ordinarily implicates Title III. The primary difference between an Internet pen/trap device and an 
Internet Title III intercept device (sometimes known as a “sniffer”) is that the former is programmed to 
capture and retain only addressing information, while the latter is programmed to read the entire packet. 

The same distinction applies to Internet e-mail. Every Internet e-mail message consists of a header 
that contains addressing and routing information generated by the mail program, followed by the actual 
contents of the message authored by the sender. The addressing and routing information includes the e- 
mail address of the sender and recipient, as well as information about when and where the message was 
sent on its way (roughly analogous to the postmark on a letter). The Pen/Trap statute permits law 
enforcement to obtain the addressing information of Internet e-mails (minus the subject line, which can 
contain contents, cf. Brown. 50 E.3d at 292) using a court order, just like it permits law enforcement to 
obtain addressing information for phone calls and individual Internet “packets” using a court order. 
Conversely, the interception of e-mail contents, including the subject line, requires careful compliance 
with the strict dictates of Title III. 



B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-27 

The Pen/Trap statute authorizes a government attorney to apply to a court for an order authorizing 
the installation of a pen register and/or trap and trace device so long as “the information likely to be 
obtained is relevant to an ongoing criminal investigation.” 18 U.S.C. § 3122(b)(2). A pen register 
records outgoing addressing information (such as a number dialed from a monitored telephone), and a 
trap and trace device records incoming addressing information (such as caller ID information). See 18 
U.S.C. § 3127(3)-(4). In Internet cases, however, the historical distinction between pen registers and 
trap and trace devices carries less importance. Because Internet headers contain both “to” and “from” 
information, a device that reads the entire header (minus the subject line in the case of e-mail headers) is 
known simply as a pen/trap device. 

To obtain an order, applicants must identify themselves, identify the law enforcement agency 
conducting the investigation, and then certify their belief that the information likely to be obtained is 
relevant to an ongoing criminal investigation being conducted by the agency. See 18 U.S.C. § 3122(b) 
(l)-(2). So long as the application contains these elements, the court will authorize the installation of the 
pen/trap device. The court will not conduct an “independent judicial inquiry into the veracity of the 
attested facts.” In re Application of the United States. 846 E. Supp. 1555, 1558-59 (M.D. Ela. 1994). See 
also United States v. Eregoso . 60 E.3d 1314, 1320 (8th Cir. 1995) (“The judicial role in approving use of 
trap and trace devices is ministerial in nature.”). 

Importantly, this limited judicial review coexists with a strong enforcement mechanism for 
violations of the statute. As one court has explained, 

[t]he salient purpose of requiring the application to the court for an order is to affix personal 
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responsibility for the veracity of the application (i.e., to ensure that the attesting United 
States Attorney is readily identifiable and legally qualified) and to confirm that the United 
States Attorney has sworn that the required investigation is in progress. ... As a form of 
deterrence and as a guarantee of compliance, the statute provides ... for a term of 
imprisonment and a fine as punishment for a violation [of the statute] . 

In re Application of the United States . 846 F. Supp. at 1559. 

The resulting order may authorize use of a pen/trap device for up to sixty days, and may be 
extended for additional sixty -day periods. See 18 U.S.C. § 3123(c). The court order also orders the 
provider not to disclose the existence of the pen/trap “to any . . . person, unless or until otherwise 
ordered by the court,” 18 U.S.C. § 3123(d)(2), and may order providers of wire or electronic 
communications service, landlords, or custodians to “furnish . . . forthwith all information, facilities, and 
technical assistance necessary” to install pen/trap devices. See 18 U.S.C. § 3124(a), (b). Providers who 
are ordered to assist with the installation of pen/trap devices under § 3124 can receive reasonable 
compensation for reasonable expenses incurred in providing facilities or technical assistance to law 
enforcement. See 18 U.S.C. § 3124(c). A provider’s good faith reliance on a court order provides a 
complete defense to any civil or criminal action arising from its assistance in accordance with the order. 
See 18 U.S.C. § 3124(d), (e). 

The Pen/Trap statute also grants providers of electronic or wire communication service broad 
authority to use pen/trap devices on their own networks without a court order. 18 U.S.C. § 3121(b) states 
that providers may use pen/trap devices without a court order 



(1) relating to the operation, maintenance, and testing of a wire or electronic 
communication service or to the protection of the rights or property of such provider, or to 
the protection of users of that service from abuse of service or unlawful use of service; or 

(2) to record the fact that a wire or electronic communication was initiated or completed in 
order to protect such provider, another provider furnishing service toward the completion of 
the wire communication, or a user of that service, from fraudulent, unlawful or abusive use 
of service; or 

(3) where the consent of the user of that service has been obtained. 



18 U.S.C. § 3121(b). 



C. The Wiretap Statute, Title III, 18 U.S.C. §§ 2510-22 



1. Introduction: The General Prohibition 

Since its enactment in 1968 and amendment in 1986, Title III has provided the statutory 
framework that governs real-time electronic surveillance of the contents of communications. When 
agents want to wiretap a suspect’s phone, ‘keystroke’ a hacker breaking into a computer system, or 
accept the fruits of wiretapping by a private citizen who has discovered evidence of a crime, the agents 
first must consider the implications of Title III. 

The structure of Title III is surprisingly simple. The statute’s drafters assumed that every private 
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communication could be modeled as a two-way connection between two participating parties, such as a 
telephone call between A and B. At a fundamental level, the statute prohibits a third party (such as the 
government) who is not a participating party to the communication from intercepting private 
communications between the parties using an “electronic, mechanical, or other device,” unless one of 
several statutory exceptions applies. See 18 U.S.C. § 2511(1). Importantly, this prohibition is quite 
broad. Unlike some privacy laws that regulate only certain cases or specific places. Title III expansively 
prohibits eavesdropping (subject to certain exceptions and interstate requirements) essentially 
everywhere by anyone in the United States. Whether investigators want to conduct surveillance at 
home, at work, in government offices, in prison, or on the Internet, they must make sure that the 
monitoring complies with Title Ill’s prohibitions. 

The questions that agents and prosecutors must ask to ensure compliance with Title III are 
straightforward, at least in form: 1) Is the communication to be monitored one of the protected 
communications defined in 18 U.S.C. § 2510?, 2) Will the proposed surveillance lead to an 
“interception” of the communications?, and 3) If the answer to the first two questions is ‘yes,’ does a 
statutory exception apply that permits the interception? 



2. Key Phrases 

Title III broadly prohibits the “interception” of “oral communications,” “wire communications,” 
and “electronic communications.” These phrases are defined by the statute. See generally 18 U.S.C. § 
2510. In computer crime cases, agents and prosecutors planning electronic surveillance must understand 
the definition of “wire communication,” “electronic communication,” and “intercept.” (Surveillance of 
oral communications rarely arises in computer crime cases, and will not be addressed directly here. 
Agents and prosecutors requiring assistance in cases involving oral communications should contact the 
Justice Department's Office of Enforcement Operations at (202) 514-6809.) 



“Wire communication” 

• In general, telephone conversations are wire communications. 

According to § 2510(1), “wire communication” means 

any aural transfer made in whole or in part though the use of facilities for the transmission 
of communications by the aid of wire, cable, or other like connection between the point of 
origin and the point of reception (including the use of such connection in a switching 
station) furnished or operated by any person engaged in providing or operating such 
facilities for the transmission of interstate or foreign communications or communications 
affecting interstate or foreign commerce and such term includes any electronic storage of 
such communication. 

Within this complicated definition, the most important requirement is that the content of the 
communication must include the human voice. See § 2510(18) (defining “aural transfer” as “a transfer 
containing the human voice at any point between and including the point of origin and point of 
reception”). If a communication does not contain a genuine human voice, either alone or in a group 
conversation, then it cannot be a wire communication. See S. Rep. No. 99-541, at 12 (1986), reprinted in 
1986 U.S.C. C.A.N. 3555. United States v. Torres . 751 F.2d 875, 885-86 (7th Cir. 1984) (concluding 
that “silent television surveillance” cannot lead to an interception of wire communications under Title III 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 




CCIPSfinal 



Page 85 of 139 



because no aural acquisition occurs). 

The additional requirement that wire communications must be sent “in whole or in part ... by the 
aid of wire, cable, or other like connection ...” presents a fairly low hurdle. So long as the signal 
travels through wire at some point along its route between the point of origin and the point of reception, 
the requirement is satisfied. For example, all voice telephone transmissions, including those from 
satellite signals and cellular phones, qualify as wire communications. See H.R. Rep. No. 99-647, at 35 
(1986). Because such transmissions are carried by wire within switching stations, they are expressly 
included in the definition of wire communication. Importantly, the presence of wire inside equipment at 
the sending or receiving end of a communication (such as an individual cellular phone) does not satisfy 
the requirement that a communication be sent “in part” by wire. The wire must transmit the 
communication “to a significant extent” along the path of transmission, outside of the equipment that 
sends or receives the communication. Id. 

The final phrase of § 2510(1), relating to wire communications in “electronic storage,” has been a 
source of considerable confusion. Congress added this phrase to the definition of wire communication 
to ensure that stored voice mail would in some circumstances be protected by the wiretap laws. See S. 
Rep. No. 99-541, at 12 (1986), reprinted in 1986 U.S.C.C.A.N. 3555 (explaining that final phrase was 
designed “to specify that wire communications in storage like voice mail, remain wire communications, 
and are protected accordingly”). By using the phrase “electronic storage,” however. Congress invoked a 
term of art that has a particular and limited meaning: a “temporary, intermediate storage . . . incidental 
to . . . electronic transmission.” § 2510(17) . See generally Chapter 3, Part B (discussing the meaning of 
“electronic storage” as defined in §2510(17)). Thus, the final phrase of § 2510(17) appears to add 
unopened voice mail to the definition of wire communications. The practical effect of this phrase is to 
require a Title III court order as a condition of government access to voice mail in “electronic storage.” 
See also Chapter 3, Part D (discussing the treatment of voicemail under ECPA). 

“Electronic communication” 

• Most Internet communications ( including e-mail) are electronic communications. 

18 U.S.C. § 2510(12) defines “electronic communication” as 

any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature, transmitted in 
whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects 
interstate or foreign commerce, but does not include 

(A) any wire or oral communication; 

(B) any communication made through a tone -only paging device; 

(C) any communication from a tracking device . . . ; or 

(D) electronic funds transfer information stored by a financial institution in a 

communications system used for the electronic storage and transfer of funds; 



As the definition suggests, electronic communication is a broad, catch-all category. See United 
States V. Herring . 993 F.2d 784, 787 (1 1th Cir. 1993). “As a rule, a communication is an electronic 
communication if it is neither carried by sound waves nor can fairly be characterized as one containing 
the human voice (carried in part by wire).” H.R. Rep. No. 99-647, at 35 (1986). Most electric or 
electronic signals that do not fit the definition of wire communications qualify as electronic 
communications. For example, almost all Internet communications (including e-mail) qualify as 
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electronic communications. 



“Intercept” 

• Most courts have held that communications are intercepted only when they are acquired 
contemporaneously with their transmission (in “real time”). The Ninth Circuit has taken a 
dijferent approach, however. 

Section 2510(4) defines “intercept” as “the aural or other acquisition of the contents of any wire, 
electronic, or oral communication through the use of any electronic, mechanical, or other device.” The 
word “acquisition” is notably ambiguous in this definition. For example, when law enforcement 
surveillance equipment records the contents of a communication, the communication might be 
“acquired” at three distinct points: first, when the equipment records the communication; second, when 
law enforcement later obtains the recording; or third, when law enforcement plays the recording and 
either hears or sees the contents of the communication. The text of § 2510(4) does not specify which of 
these events constitutes an “acquisition” for the purposes of ECPA. See United States v. Turk. 526 F.2d 
654, 657-58 (5th Cir. 1976). 

Courts confronted with this ambiguity have rendered inconsistent rulings. Many courts have held 
that both wire and electronic communications are intercepted only when they are acquired 
contemporaneously with their transmission. In other words, interception of the communications refers 
only to their real-time acquisition at the time of transmission between the parties to the communication. 
Subsequent access to a stored copy of the communication does not “intercept” the communication. See. 
e.g. . Steve .lackson Games. Inc, v. United States Secret Service . 36 F.3d 457, 460-63 (5th Cir. 1994) 
(access to stored e-mail communications) ; Wesley College v. Pitts. 974 F. Supp. 375, 386 (D. Del. 

1997) (same); United States v. Meriwether. 917 F.2d 955, 960 (6th Cir. 1990) (access to stored pager 
communications); United States v. Reyes. 922 F. Supp. 818, 836 (S.D.N.Y. 1996) (same); Bohach v. 

City of Reno . 932 F. Supp. 1232, 1235-36 (D. Nev. 1996) (same); United States v. Moriarty. 962 F. 

Supp. 217, 220-21 (D. Mass. 1997) (access to stored wire communications) ; In re State Police 
Litigation . 888 F. Supp 1235, 1264 (D. Conn. 1995) (same); Payne v. Norwest Corp.. 911 F. Supp. 

1299, 1303 (D. Mont. 1995), aff ’d in part and rev ’d in part . 113 F.3d 1079 (9th Cir. 1997) (same). 

The Ninth Circuit has taken a very different approach. First, in United States v. Smith. 155 F.3d 
1051, 1058-59 (9th Cir. 1998), the court held that a party can intercept a wire communication by 
obtaining a copy of the communication in “electronic storage,” which is specifically defined in § 2510 
(17). The court reasoned that wire communications should be treated differently than electronic 
communications because the definition of wire communication expressly included “any electronic 
storage of such communication,” but the definition of electronic communication did not include this 
phrase. See id. at 1057. Then, in a pro se civil case, Konop v. Hawaiian Airlines. 2001 WL 13232 , - 
F.3d. - (9th Cir. 2001), the court reversed course and concluded that it would be “senseless” to treat wire 
communications and electronic communications differently. Id. at *6- *7. Accordingly, the court held 
that obtaining a copy of an electronic communication in “electronic storage” can constitute an 
interception of the communication, just as it can for wire communications. See id. 

The most coherent interpretation of “intercept” in the context of wire communications lies between 
these two poles. The best evidence suggests that Congress intended for “intercept” to mean only real- 
time acquisition. However, in recognition of the fact that Congress also intended to protect voicemail in 
“electronic storage” by including it in the definition of wire communication, see S. Rep. No. 99-541, at 
12 (1986) reprinted in 1986 U.S.C.C.A.N. 3555, agents should obtain a Title III order to access stored 
voicemail if the voicemail falls within the statutory definition of “electronic storage” articulated in § 
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2510(17). See Chapter 3, Part B. In contrast, the decision in Konop is plainly incorrect: government 
access to electronic communications in “electronic storage” is governed by 18 U.S.C. § 2703, not 18 
U.S.C. § 2518. 



3. Exceptions to Title III 



Title III broadly prohibits the intentional interception, use, or disclosure— of wire and electronic 
communications unless a statutory exception applies. See 18 U.S.C. § 2511(1). In general, this 
prohibitions bars third parties (including the government) from wiretapping telephones and installing 
electronic “sniffers” that read Internet traffic. 

The breadth of Title Ill's prohibition means that the legality of most surveillance techniques under 
Title III depends upon whether a statutory exception to the rule applies. Title III contains dozens of 
exceptions, which may or may not apply in hundreds of different situations. In computer crime cases, 
however, six exceptions apply most often: 

A) interception pursuant to a § 2518 court order; 

B) the ‘consent’ exception, § 2511(2)(c)-(d); 

C) the ‘provider’ exception, § 2511(2)(a)(i); 

D) the ‘extension telephone’ exception, § 2510(5)(a); 

E) the ‘inadvertently obtained criminal evidence’ exception, § 2511(3)(b)(iv); and 

F) the ‘accessible to the public’ exception, § 2511(2)(g)(i). 

Prosecutors and agents need to understand the scope of these six exceptions in order to determine 
whether different surveillance strategies will comply with Title III. 



a) Interception Authorized by a Title III Order, 18 U.S.C. § 2518. 

Title III permits law enforcement to intercept wire and electronic communications pursuant to a 18 
U.S.C. § 2518 court order (“Title III order”). High-level Justice Department approval is required for 
federal Title III applications, by statute in the case of wire communications, and by Justice Department 
policy in the case of electronic communications (with exceptions to cover numeric pagers). When 
authorized by the Justice Department and signed by a United States District Court or Court of Appeals 
judge, a Title III order permits law enforcement to intercept communications for up to thirty days. See § 
2518. 



18 U.S.C. §§ 2516-18 imposes several formidable requirements that must be satisfied before 
investigators can obtain a Title III order. Most importantly, the application for the order must show 
probable cause to believe that the interception will reveal evidence of a predicate felony offense listed in 
§ 2516. See § 2518(3)(a)-(b). For federal agents, the predicate felony offense must be one of the crimes 
specifically enumerated in § 2516(l)(a)-(p) to intercept wire communications, or any felony to intercept 
electronic communications. See 18 U.S.C. § 2516(3). The predicate crimes for state investigations are 
listed in 18 U.S.C. § 2516(2). The application for a Title III order must also show that normal 
investigative procedures have been tried and failed, or that they reasonably appear to be unlikely to 
succeed or to be too dangerous, see § 2518(l)(c); must establish probable cause that the communication 
facility is being used in a crime; and must show that the surveillance will be conducted in a way that 
minimizes the interception of communications that do not provide evidence of a crime. See § 2518(5). 
For comprehensive guidance on the requirements of 18 U.S.C. § 2518, agents and prosecutors should 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 



CCIPSfinal 



Page 88 of 139 



consult the Justice Department’s Office of Enforcement Operations at (202) 514-6809. 



b) Consent of a Party to the Communication, 18 U.S.C. § 2511(2)(c)-(d) 

18 U.S.C. § 2511(2)(c) and (d) state: 

(c) It shall not be unlawful under this chapter for a person acting under color of law to 
intercept a wire, oral, or electronic communication, where such person is a party to the 
communication or one of the parties to the communication has given prior consent to such 
interception. 

(d) It shall not be unlawful under this chapter for a person not acting under color of law to 
intercept a wire, oral, or electronic communication where such person is a party to the 
communication or where one of the parties to the communication has given prior consent to 
such interception unless such communication is intercepted for the purpose of committing 
any criminal or tortious act in violation of the Constitution or laws of the United States or of 
any State. 



This language authorizes the interception of communications when one of the parties to the 
communication consents to the interception.— For example, if an undercover government agent or 
informant records a telephone conversation between himself and a suspect, his consent to the recording 
authorizes the interception. See, e.g.. Obron Atlantic Corp. v. Barr. 990 F.2d 861 (6th Cir. 1993) 
(relying on 2511(2)(c)). Similarly, if a private person records his own telephone conversations with 
others, his consent authorizes the interception unless the commission of a criminal, tortious, or other 
injurious act was at least a determinative factor in the person’s motivation for intercepting the 
communication. See United States v. Cassiere . 4 F.3d 1006, 1021 (1st Cir. 1993) (interpreting 2511(2) 
(d)). 



In computer cases, two questions relating to 18 U.S.C. § 2511(2)(c)-(d) arise particularly often. 
First, to what extent can a posted notice or a “banner” generate implied consent and permit monitoring? 
Second, who is a “party to the communication” when a hacker routes an attack across a computer 
network? 

i) “Bannering ” and Implied Consent 

• Monitoring use of a computer network does not violate Title III after users view an appropriate 
“network banner” informing them that use of the network constitutes consent to monitoring. 

Consent to Title III monitoring may be express or implied. See United States v. Amen. 831 F.2d 
373, 378 (2d Cir. 1987). Implied consent exists when circumstances indicate that a party to a 
communication was “in fact aware” of monitoring, and nevertheless proceeded to use the monitored 
system. United States v. Workman. 80 F.3d 688, 693 (2d Cir. 1996) See also Griggs-Ryan v. Smith. 
904 F.2d 112, 116 (1st Cir. 1990) (“[Ijmplied consent is consent in fact which is inferred from 
surrounding circumstances indicating that the party knowingly agreed to the surveillance.”) (internal 
quotations omitted). In most cases, the key to establishing implied consent is showing that the 
consenting party received notice of the monitoring, and used the monitored system despite the notice. 
See Berry v. Funk. 146 F.3d 1003, 1011 (D.C. Cir. 1998). Proof of notice to the party generally 
supports the conclusion that the party knew of the monitoring. See Workman . 80 F.3d. at 693. Absent 
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proof of notice, the government must “convincingly” show that the party knew about the interception 
based on surrounding circumstances in order to support a finding of implied consent. United States v. 
Uanoue . 71 F.3d 966, 981 (1st Cir. 1995). 

In computer cases, the implied consent doctrine permits monitoring of a computer network that has 
been properly “bannered.” A banner is a posted notice informing users as they log on to a network that 
their use may be monitored, and that subsequent use of the system will constitute consent to the 
monitoring. Every user who sees the banner before logging on to the network has received notice of the 
monitoring: by using the network in light of the notice, the user impliedly consents to monitoring 
pursuant to 18 U.S.C. § 251 l(2)(c)-(d). See, e.g.. Workman. 80 F.3d. at 693-94 (holding that explicit 
notices that prison telephones would be monitored generated implied consent to monitoring among 
inmates who subsequently used the telephones); United States v. Amen. 831 F.2d 373, 379 (2d Cir. 

1987) (same). But see United States v. Thomas. 902 F.2d 1238, 1245 (7th Cir. 1990) (dicta) 
(questioning the reasoning of Amen). 

The scope of consent generated by a banner generally depends on the banner’s language: network 
banners are not “one size fits all.” A narrowly worded banner may authorize only some kinds of 
monitoring; a broadly worded banner may permit monitoring in many circumstances for many reasons. 
In deciding what kind of banner is right for a given computer network, system providers look at the 
network’s purpose, the system administrator’s needs, and the users’ culture. For example, a sensitive 
Department of Defense computer network might require a broad banner, while a state university 
network used by professors and students could use a narrow one. Appendix A contains several sample 
banners that reflect a range of approaches to network monitoring. 



a ) Who is a “Party to the Communication ” in a Network Intrusion ? 

Sections 2511(2)(c) and (d) permit any “person” who is a “party to the communication” to consent 
to monitoring of that communication. In the case of wire communications, a “party to the 
communication” is usually easy to identify. For example, either conversant in a two-way telephone 
conversation is a party to the communication. See, e.g.. United States v. Davis. 1 F.3d 1014, 1015 (10th 
Cir. 1993). In a computer network environment, in contrast, the simple framework of a two-way 
communication between two parties breaks down. When a hacker launches an attack against a computer 
network, for example, he may route the attack through a handful of compromised computer systems 
before directing the attack at a final victim. At the victim’s computer, the hacker may direct the attack 
at a user’s network account, at the system administrator’s “root” account, or at common files. Finding a 
“person” who is a “party to the communication” — other than the hacker himself, of course — can be a 
difficult (if not entirely metaphysical) task. 

Because of these difficulties, agents and prosecutors should adopt a cautious approach to the “party 
to the communication” consent exception. A few courts have suggested that the owner of a computer 
system may satisfy the “party to the communication” language when a user sends a communication to 
the owner’s system. See United States v. Seidlitz. 589 F.2d 152, 158 (4th Cir. 1978) (concluding in dicta 
that a company that leased and maintained a compromised computer system was “for all intents and 
purposes a party to the communications” when company employees intercepted intrusions into the 
system from an unauthorized user using a supervisor’s hijacked account); United States v. Muhins. 992 
F.2d 1472, 1478 (9th Cir. 1993) (stating as an alternate holding that the consent exception of § 2511(2) 
(d) authorizes monitoring of computer system misuse because the owner of the computer system is a 
party to the communication). Even accepting this interpretation, however, adhering to it may pose 
serious practical difficulties. Because hackers often loop from one victim computer through to another, 
creating a “daisy chain” of systems carrying the traffic, agents have no way of knowing ahead of time 
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which computer will be the ultimate destination for any future communication. If a mere pass-through 
victim cannot be considered a “party to the communication” — an issue unaddressed by the courts — a 
hacker's decision to loop from one victim to another could change who can consent to monitoring. In 
that case, agents trying to monitor with the victim's consent would have no way of knowing whether that 
victim will be a “party to the communication” for any future communication. 



c) The Provider Exception, 18 U.S.C. § 2511(2)(a)(i) 

• Employees or agents of communications service providers may intercept and disclose 

communications in self-defense to protect the providers ’ rights or property. For example, system 
administrators of computer networks generally may monitor hackers intruding into their networks 
and then disclose the fruits of monitoring to law enforcement without violating Title III. This 
privilege belongs to the provider alone, however, and cannot be exercised by law enforcement. 

18 U.S.C. § 2511(2)(a)(i) permits 

an operator of a switchboard, or [a]n officer, employee, or agent of a provider of wire or 
electronic communication service, whose facilities are used in the transmission of a wire or 
electronic communication, to intercept, disclose, or use that communication in the normal 
course of his employment while engaged in any activity which is a necessary incident to the 
rendition of his service or to the protection of the rights or property of the provider of that 
service, except that a provider of wire communication service to the public shall not utilize 
service observing or random monitoring except for mechanical or service quality control 
checks. 

The “protection of the rights or property of the provider” clause of § 25 1 l(2)(a)(i) grants providers 
the right “to intercept and monitor [communications] placed over their facilities in order to combat fraud 
and theft of service.” United States v. Villanueva. 32 F. Supp.2d 635, 639 (S.D.N.Y. 1998). For 
example, employees of a cellular phone company may intercept communications from an illegally 
“cloned” cell phone in the course of locating its source. See United States v. Pervaz. 118 F.3d 1, 5 (1st 
Cir. 1997). The exception also permits providers to monitor misuse of a system in order to protect the 
system from damage, theft, or invasions of privacy. For example, system administrators can track 
hackers within their networks in order to prevent further damage. Cf. Muhins. 992 F.2d at 1478 
(concluding that need to monitor misuse of computer system justified interception of electronic 
communications according to § 2511(2)(a)(i)). 

Importantly, the provider exception of § 25 1 l(2)(a)(i) does not permit providers to conduct 
unlimited monitoring. See United States v. Auler. 539 F.2d 642, 646 (7th Cir. 1976) (“This authority of 
the telephone company to intercept and disclose wire communications is not unlimited.”). Instead, the 
exception permits providers and their agents to conduct reasonable monitoring that balances the 
providers’ needs to protect their rights and property with their subscribers’ right to privacy in their 
communications. See United States v. Harvey . 540 F.2d 1345, 1350 (8th Cir. 1976) (“The federal 
courts . . . have construed the statute to impose a standard of reasonableness upon the investigating 
communication carrier.”). Providers investigating unauthorized use of their systems have broad 
authority to monitor and then disclose evidence of unauthorized use under § 25 1 l(2)(a)(i), but should 
attempt to tailor their monitoring and disclosure so as to minimize the interception and disclosure of 
private communications unrelated to the investigation. See, e.g.. United States v. Freeman. 524 F.2d 
337, 340 (7th Cir. 1975) (concluding that phone company investigating use of illegal “blue boxes” 
designed to steal long-distance service acted permissibly under § 25 1 l(2)(a)(i) when it intercepted the 
first two minutes of every conversation authorized by a “blue box,” but did not intercept legitimately 
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authorized communications). In particular, there must be a “substantial nexus” between the monitoring 
and the threat to the provider’s rights or property. United States v. McLaren. 957 F. Supp. 215, 219 
(M.D. Fla. 1997). Further, although providers legitimately may protect their rights or property by 
gathering evidence of wrongdoing for criminal prosecution, see United States v. Harvey. 540 F.2d 1345, 
1352 (8th Cir. 1976), they cannot use the rights or property exception to gather evidence of crime 
unrelated to their rights or property. See Bubis v. United States . 384 F.2d 643, 648 (9th Cir. 1967) 
(provider monitoring to convict blue box user of interstate transmission of wagering information 
impermissible) (interpreting Title Ill’s predecessor statute, 47 U.S.C. § 605). 



Agents and prosecutors must resist the urge to use the provider exception to satisfy law 
enforcement needs. Although the exception permits providers to intercept and disclose communications 
to law enforcement to protect their rights or property, see Harvey. 540 F.2d at 1352, it does not permit 
law enforcement officers to direct or ask system administrators to monitor for law enforcement 
purposes. For example, in McClelland v. McGrath. 31 F. Supp. 2d 616 (N.D. 111. 1998), police officers 
investigating a kidnaping traced the kidnaper's calls to an unauthorized “cloned” cellular phone. Eager 
to learn more about the kidnaper’ s identity and location, the police asked the cellular provider to 
intercept the kidnaper’s communications and relay any information to the officers that might assist them 
in locating the kidnaper. The provider agreed, listened to the kidnaper’s calls, and then passed on the 
information to the police, leading to the kidnaper’s arrest. Later, the kidnaper sued the officers for 
intercepting his phone calls, and the officers argued that § 2511(2)(a)(i) authorized the interceptions 
because the provider could monitor the cloned phone to protect its rights against theft. Although the 
court noted that the suit “might seem the very definition of chutzpah,” it held that § 25 1 l(2)(a)(i) did not 
authorize the interception to the extent that the police had directed the provider to monitor for law 
enforcement purposes unrelated to the provider’s rights or property: 

What the officers do not seem to understand ... is that they are not free to ask or direct [the 
provider] to intercept any phone calls or disclose their contents, at least not without 
complying with the judicial authorization provisions of the Wiretap Act, regardless of 
whether [the provider] would have been entitled to intercept those calls on its own initiative. 

Id. at 619. Because the purpose of the monitoring appeared to be to locate and identify the kidnaper (a 
law enforcement interest), rather than to combat telephone fraud (a provider interest), the court refused 
to grant summary judgment for the officers on the basis of § 25 1 l(2)(a)(i). See id; see also United 
States V. Savage . 564 F.2d 728, 731 (5th Cir. 1977) (agreeing with district court ruling that a police 
officer exceeded the provider exception by commandeering a telephone operator’s monitoring). 

In light of such difficulties, agents and prosecutors should adopt a cautious approach to accepting 
the fruits of monitoring conducted by providers under the provider exception. Law enforcement agents 
generally should feel free to accept the fruits of monitoring that a provider collected pursuant to § 25 1 1 
(2)(a)(i) prior to communicating with law enforcement about the suspected criminal activity. After law 
enforcement and the provider have communicated with each other, however, law enforcement should 
only accept the fruits of a provider’s monitoring if certain requirements have been met that indicate that 
the provider is monitoring and disclosing to protect its rights or property. In the common case of a 
computer intrusion into a privately owned computer network, for example, law enforcement generally 
should accept the fruits of provider monitoring only when: 1) the provider is a victim of the crime and 
affirmatively wishes both to intercept and to disclose to protect the provider’s rights or property, 2) law 
enforcement verifies that the provider’s intercepting and disclosure was motivated by the provider’s 
wish to protect its rights or property, rather than to assist law enforcement, 3) law enforcement has not 
tasked, directed, requested, or coached the monitoring or disclosure for law enforcement purposes, and 
4) law enforcement does not participate in or control the actual monitoring that occurs. Although not 
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required by law, CCIPS strongly recommends that agents should obtain a written document from the 
private provider indicating the provider’ s understanding of its rights and its desire to monitor and 
disclose to protect its rights or property. Review by a CTC in the relevant district or CCIPS at (202) 
514-1026 is also recommended. By following these procedures, agents can greatly reduce the risk that 
any provider monitoring and disclosure will exceed the acceptable limits of § 25 1 l(2)(a)(i). A sample 
provider letter appears in Appendix G. 

• Imw enforcement involvement in provider monitoring of government networks creates special 

problems. Because the lines of authority often blur, law enforcement agents should exercise 

extreme care. 

The rationale of the provider exception presupposes that a sharp line exists between providers and 
law enforcement officers. Under this scheme, providers are concerned with protecting their networks 
from abuse, and law enforcement officers are concerned with investigating crime and prosecuting 
wrongdoers. This line can seem to break down, however, when the network to be protected belongs to 
an agency or branch of the government. For example, federal government entities such as NASA, the 
Postal Service, and the military services have both massive computer networks and considerable law 
enforcement presences (within Inspectors General offices in the case of civilian agencies, and military 
criminal investigative services). Because law enforcement officers and system administrators within the 
government generally consider themselves to be ‘on the same team, ’ it is all too easy in that context for 
law enforcement agents to feel comfortable commandeering provider monitoring and justifying it under 
a broad interpretation of the protection of the provider’s “rights or property.” Although the courts have 
not addressed the viability of this theory of provider monitoring, such an interpretation, at least in its 
broadest form, may be difficult to reconcile with some of the cases interpreting the provider exception. 
See , e.g.. McLaren. 957 F. Supp. at 219. CCIPS strongly recommends a cautious approach: agents and 
prosecutors should assume that the courts interpreting § 2511(2)(a)(i) in the government network 
context will enforce the same strict line between law enforcement and provider interests that they have 
enforced in the case of private networks. See, e.g.. Savage. 564 F.2d at 731; McClelland. 31 F. Supp. 2d 
at 619. Accordingly, CCIPS urges law enforcement agents to exercise a high degree of caution when 
agents wish to accept the fruits of monitoring under the provider exception from a government provider. 
Agents and prosecutors should call CCIPS at (202) 514-1026 for additional guidance in specific cases. 

The “necessary to the rendition of his service” clause of § 2511(2)(a)(i) provides the second 
context in which the provider exception applies. This language permits providers to intercept, use, or 
disclose communications in the ordinary course of business when the interception is unavoidable. 
SeeUnited States v. New York Tel. Co.. 434 U.S. 159, 168 n.l3 (1977) (noting that § 2511(2)(a)(i) 
“excludes all normal telephone company business practices” from the prohibition of Title III). For 
example, a switchboard operator may briefly overhear conversations when connecting calls. See, e.g.. 
United States v. Savage . 564 F.2d 728, 731-32 (5th Cir. 1977); Adams v. Sumner. 39 F.3d 933, 935 (9th 
Cir. 1994). Similarly, repairmen may overhear snippets of conversations when tapping phone lines in 
the course of repairs. See United States v. Ross. 713 F.2d 389 (8th Cir. 1983). Although the “necessary 
incident to the rendition of his service” language has not been interpreted in the context of electronic 
communications, these cases suggest that this phrase would permit a system administrator to intercept 

17 

communications in the course of repairing or maintaining a network. — 



d) The Extension Telephone Exception, 18 U.S.C. § 2510(5)(a) 

According to 18 U.S.C. § 2510(5)(a), the use of 
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any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) 
furnished to the subscriber or user by a provider of wire or electronic communication 
service in the ordinary course of its business and being used by the subscriber or user in the 
ordinary course of its business or furnished by such subscriber or user for connection to the 
facilities of such service and used in the ordinary course of its business; or (ii) being used 
by a provider of wire or electronic communication service in the ordinary course of its 
business, or by an investigative or law enforcement officer in the ordinary course of his 
duties 



18 

does not violate Title III. — As originally drafted. Congress intended this exception to have a fairly 
narrow purpose: the exception primarily was designed to permit businesses to monitor by way of an 
“extension telephone” the performance of their employees who spoke on the phone to customers. The 
“extension telephone” exception makes clear that when a phone company furnishes an employer with an 
extension telephone for a legitimate work-related purpose, the employer’s monitoring of employees 
using the extension phone for legitimate work- related purposes does not violate Title III. See Briggs v. 
American Air Filter Co. . 630 F.2d 414, 418 (5th Cir. 1980) (reviewing legislative history of Title III); 
Watkins v. L.M. Berry & Co.. 704 F.2d 577, 582 (11th Cir. 1983) (applying exception to permit 
monitoring of sales representatives); .lames v. Newspaper Agency Corp. 591 F.2d 579, 581 (10th Cir. 
1979) (applying exception to permit monitoring of newspaper employees’ conversations with 
customers). 

The case law interpreting the extension telephone exception is notably erratic, largely owing to the 
ambiguity of the phrase ‘ordinary course of business.’ Some courts have interpreted ‘ordinary course of 
business’ broadly to mean ‘within the scope of a person’s legitimate concern,’ and have applied the 
extension telephone exception to contexts such as intra -family disputes. See, e.g.. Simpson v. Simpson. 
490 F.2d 803, 809 (5th Cir. 1974) (holding that husband did not violate Title III by recording wife’s 
phone calls); Anonymous v. Anonymous . 558 F.2d 677, 678-79 (2d Cir. 1977) (holding that husband 
did not violate Title III in recording wife’s conversations with their daughter in his custody). Other 
courts have rejected this broad reading, and have implicitly or explicitly excluded surreptitious activity 
from conduct within the ‘ordinary course of business.’ See United States v. Harpel. 493 F.2d 346, 351 
(10th Cir. 1974) (“We hold as a matter of law that a telephone extension used without authorization or 
consent to surreptitiously record a private telephone conversation is not used in the ordinary course of 
business.”); Pritchard v. Pritchard. 732 F.2d 372, 374 (4th Cir. 1984) (rejecting view that § 2510(5)(a) 
exempts interspousal wiretapping from Title III liability); United States v. .lones. 542 F.2d 661, 668-670 
(6th Cir. 1976) (same). Some of the courts that have embraced the narrower construction of the 
extension telephone exception have stressed that it permits only limited work- related monitoring by 
employers. See, e.g.. Deal v. Spears. 980 F.2d 1153, 1158 (8th Cir. 1992) (holding that employer 
monitoring of employee was not authorized by the extension telephone exception in part because the 
scope of the interception was broader than that normally required in the ordinary course of business). 

The exception in 18 U.S.C. § 2510(5)(a)(ii) that permits the use of “any telephone or telegraph 
instrument, equipment or facility, or any component thereof” by “an investigative or law enforcement 
officer in the ordinary course of his duties” is a common source of confusion. This language does not 
permit agents to intercept private communications on the theory that a law enforcement agent may need 
to intercept communications “in the ordinary course of his duties.” As Chief Judge Posner has 
explained: 

Investigation is within the ordinary course of law enforcement, so if ‘ordinary’ were read 
literally warrants would rarely if ever be required for electronic eavesdropping, which was 
surely not Congress's intent. Since the purpose of the statute was primarily to regulate the 
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use of wiretapping and other electronic surveillance for investigatory purposes, "ordinary" 
should not be read so broadly; it is more reasonably interpreted to refer to routine 
nonin vestigative recording of telephone conversations. . . . Such recording will rarely be 
very invasive of privacy, and for a reason that does after all bring the ordinary -course 
exclusion rather close to the consent exclusion: what is ordinary is apt to be known; it 
imports implicit notice. 

Amati v. City of Woodstock . 176 F.3d 952, 955 (7th Cir. 1999). For example, routine taping of all 
telephone calls made to and from a police station may fall within this exception, but nonroutine taping 
designed to target a particular suspect ordinarily would not. See id. Accord United States v. Van 
77 F.3d 285, 292 (9th Cir. 1996) (concluding that routine recording of calls made from prison fall within 
law enforcement exception). 



e) The ‘Inadvertently Obtained Criminal Evidence’ Exception, 18 U.S.C. § 2511(3)(b)(iv) 

18 U.S.C. § 2511(3)(b) lists several narrow contexts in which a provider of electronic 
communication service to the public can divulge the contents of communications. The most important 
of these exceptions permits a public provider to divulge the contents of any communications that 



were inadvertently obtained by the service provider and which appear to pertain to the 
commission of a crime, if such divulgence is made to a law enforcement agency. 



1 8 U.S.C. § 25 1 l(3)(b)(iv). Although this exception has not yet been applied by the courts in any 
published cases involving computers, its language appears to permit providers to report criminal conduct 
(e.g., child pornography or evidence of a fraud scheme) in certain circumstances without violating Title 
in. Compare 18 U.S.C. § 2702(b)(6)(A) (creating an analogous rule for stored communications). 



f) The ‘Accessible to the Public’ Exception, 18 U.S.C. § 2511(2)(g)(i) 

18 U.S.C. § 2511(2)(g)(i) permits “any person” to intercept an electronic communication made 
through a system “that is configured so that . . . [the] communication is readily accessible to the general 
public.” Although this exception has not yet been applied by the courts in any published cases involving 
computers, its language appears to permit the interception of an electronic communication that has been 
posted to a public bulletin board or a Usenet newsgroup. 



D. Remedies For Violations of Title III and the Pen/Trap Statute 

Agents and prosecutors must adhere strictly to the dictates of Title III and the Pen/Trap statute 
when planning electronic surveillance, as violations can result in civil penalties, criminal penalties, and 
suppression of the evidence obtained. See 18 U.S.C. § 2511(4) (criminal penalties for Title III 
violations); 18 U.S.C. § 2520 (civil damages for Title III violation); 18 U.S.C. § 3121(d) (criminal 
penalties for pen/trap violations); 18 U.S.C. § 2518(10)(a) (suppression for Title III violations). As a 
practical matter, however, courts may conclude that the electronic surveillance statutes were violated 
even after agents and prosecutors have acted in good faith and with full regard for the law. For example, 
a private citizen may sometimes wiretap his neighbor and later turn over the evidence to the police, or 
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agents may intercept communications using a court order that the agents later learn is defective. 
Similarly, a court may construe an ambiguous portion of Title III differently than did the investigators, 
leading the court to find that a violation of Title III occurred. In these circumstances, prosecutors and 
agents must understand not only what conduct the surveillance statutes prohibit, but also what the 
ramifications might be if a court finds that the statutes have been violated. 



1. Suppression Remedies 

• Title III provides for statutory suppression of wrongfully intercepted oral and wire 

communications, but not electronic communications. The Pen/Trap statute does not provide a 
statutory suppression remedy. Of course, constitutional violations ordinarily will result in 
suppression of the evidence wrongfully obtained. 

a) Statutory Suppression Remedies 

i) General: Interception of Wire Communications Only 

The statutes that govern electronic surveillance grant statutory suppression remedies to defendants 
only in a specific set of cases. In particular, a defendant may only move for suppression on statutory 
grounds when the defendant was a party to an oral or wire communication that was intercepted in 
violation of Title III. See 18 U.S.C. § 2518(10)(a). See alsoUnited States v. Giordano. 416 U.S. 505, 
524 (1974) (stating that “[w]hat disclosures are forbidden [under § 2515], and are subject to motions to 
suppress, is . . . governed by § 2518(10)(a)”); United States v. Williams. 124 F. 3d 411, 426 (3dCir. 
1997). Section 2518(10)(a) states: 

[A]ny aggrieved person . . . may move to suppress the contents of any wire or oral 
communication intercepted pursuant to this chapter, or evidence derived therefrom, on the 
grounds that- 

(i) the communication was unlawfully intercepted; 

(ii) the order of authorization or approval under which it was intercepted is 
insufficient on its face; or 

(iii) the interception was not made in conformity with the order of authorization 
or approval. 

18 U.S.C. § 2518(10)(a). Notably, Title III does not provide a statutory suppression remedy for 
unlawful interceptions of electronic communications. See Steve .lackson Games. Inc v. United States 
Secret Service . 36 F.3d 457, 461 n.6 (5th Cir. 1994); United States v. Meriwether. 917 F.2d 955, 960 
(6th Cir. 1990). Similarly, the Pen/Trap statute does not provide a statutory suppression remedy for 
violations. See United States v. Fregoso. 60 F.3d 1314, 1320-21 (8th Cir. 19951: United States v. 
Thompson . 936 F.2d 1249, 1249-50 (11th Cir. 1991). 

ii) Unauthorized Parties 

The plain language of Title III appears to offer a suppression remedy to any party to an unlawfully 
intercepted wire communication, regardless of whether the party was authorized or unauthorized to use 
the communication system. See 18 U.S.C. § 25 10(1 1) (defining an “aggrieved person” who may move 
to suppress under § 2518(10)(a) as “a person who was a party to any intercepted wire, oral, or electronic 
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communication or a person against whom the interception was directed”). Despite this broad definition, 
it is unclear whether a computer hacker could move for suppression of evidence that recorded the 
hacker’s unauthorized activity within the victim’s computer network. The one court that has evaluated 
this question expressed serious doubts. See United States v. Seidlitz. 589 F.2d 152, 160 (4th Cir. 1978) 
(stating in dicta that “we seriously doubt that [a hacker whose communications were monitored by the 
system administrator of a victim network] is entitled to raise . . . objections to the evidence [under Title 
ni]”). 



The Fourth Circuit’s suggestion in Seidlitz is consistent with other decisions interpreting the 
definition of “aggrieved person” in 18 U.S.C. § 25 10(1 1). Relying on the legislative history of Title III, 
the Supreme Court has stressed that Title Ill’s suppression remedy was not intended “generally to press 
the scope of the suppression role beyond present search and seizure law.” Scott v. United States. 436 
U.S. 128, 139 (1978) (quoting S. Rep. No. 90-1097, at 96 (1968), and citing Alderman v. United States. 
394 U.S. 165, 175-76 (1969)). If monitoring does not violate a suspect’s reasonable expectation of 
privacy under the Fourth Amendment, the cases suggest, the suspect cannot be an “aggrieved” person 
who can move for suppression under Title III. See United States v. King. 478 F.2d 494, 506 (9th Cir. 
1973) (“[A] defendant may move to suppress the fruits of a wire-tap [under Title III] only if his privacy 
was actually invaded.”); United States v. Baranek. 903 F.2d 1068, 1072 (6th Cir. 1990) (“[We] do not 
accept defendant’s contention that fourth amendment law is not involved in the resolution of Title III 
suppression issues .... Where, as here, we have a case with a factual situation clearly not contemplated 
by the statute, we find it helpful on the suppression issue ... to look to fourth amendment law.”). 

Because monitoring a hacker’ s attack ordinarily does not violate the hacker’s reasonable 
expectation of privacy, see “Constitutional Suppression Remedies,” infra, it is unclear whether a hacker 
can be an “aggrieved person” entitled to move for suppression of such monitoring under § 2518(10)(a). 
No court has addressed this question directly. Of course, civil and criminal penalties for unlawful 
monitoring continue to exist, even if the unlawful monitoring itself targets unauthorized use. See , e.g.. 
McClelland v. McGrath . 31 F. Supp. 616 (N.D. 111. 1998) (civil suit brought by a kidnaper against police 
officers for unlawful monitoring of the kidnaper’s unauthorized use of a cloned cellular phone). 



in) Suppression Following Interception with a Defective Title 111 Order 

Under § 2518(10)(a), the courts generally will suppress evidence resulting from any unlawful 
interception of an aggrieved party’s wire communication that takes place without a court order. 

However, when investigators procure a Title III order that later turns out to be defective, the courts will 
suppress the evidence obtained with the order only if the defective order “fail[ed] to satisfy any of those 
statutory requirements that directly and substantially implement the congressional intention [in enacting 
Title III] to limit the use of intercept procedures to those situations clearly calling for the employment of 
this extraordinary investigative device.” United States v. Giordano. 416 U.S. 505, 527 (1974). 

This standard requires the courts to distinguish technical defects from substantive ones. If the 
defect in the Title III order concerns only technical aspects of Title III, the fruits of the interception will 
not be suppressed. In contrast, courts will suppress the evidence if the defect reflects a failure to comply 
with a significant requirement of Title III. CompareGiordano . 416 U.S. at 527-28 (holding that failure 
to receive authorization from Justice Department official listed in § 2516(1) for order authorizing 
interception of wire communications requires suppression in light of importance of such authorization to 
statutory scheme) with United States v. Moore. 41 F.3d 370, 375 (8th Cir. 1994) (reversing district 
court’s suppression order on ground that judge’s failure to sign the Title III order in the correct place 
was merely a technical defect). Defects that directly implicate constitutional concerns such as probable 
cause and particularity, see Berger v. New York. 388 U.S. 41, 58-60 (1967), will generally be 
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considered substantive defects that require suppression. See United States v. Ford. 553 F.2d 146, 173 
(D.C. Cir. 1977). 



iv) The “Clean Hands ” Exception in the Sixth Circuit 

18 U.S.C. § 2518(10)(a)(i) states that an aggrieved person may move to suppress the contents of 
wire communications when “the communication was unlawfully intercepted.” The plain language of this 
statute suggests that the government cannot use the fruits of an illegally intercepted wire communication 
as evidence in court, even if the government itself did not intercept the communication. For example, if 
a private citizen wiretaps another private citizen and then hands over the results to the government, the 
general rule is that the government cannot use the evidence in court. See United States v. Vest. 813 F.2d 
477,481 (1st Cir. 1987). 

Despite this general rule, the Sixth Circuit has fashioned a “clean hands” exception that permits the 
government to use any illegally intercepted communication so long as the government “played no part in 
the unlawful interception.” United States v. Murdock. 63 F.3d 1391, 1404 (6th Cir. 1995). In Murdock. 
Mrs. Harold Murdock surreptitiously recorded her estranged husband’s phone conversations at their 
family -run funeral home. When she later listened to the recordings, she heard evidence that her husband 
had accepted a $90,000 bribe to award a government contract to a local dairy while serving as president 
of the Detroit School Board. Mrs. Murdock sent an anonymous copy of the recording to a competing 
bidder for the contract, who offered the copy to law enforcement. The government then brought tax 
evasion charges against Mr. Murdock on the theory that Mr. Murdock had not reported the $90,000 
bribe as taxable income. 

Following a trial in which the recording was admitted in evidence against him, the jury convicted 
Mr. Murdock, and he appealed. The Sixth Circuit affirmed, ruling that although Mrs. Murdock had 
violated Title III by recording her husband’s phone calls, this violation did not bar the admission of the 
recordings in a subsequent criminal trial. The court reasoned that Mrs. Murdock’ s illegal interception 
could be analogized to a Fourth Amendment private search, and concluded that Title III did not preclude 
the government “from using evidence that literally falls into its hands” because it would have no 
deterrent effect on the government’s conduct. Id. at 1404. 

Since the Sixth Circuit decided Murdock, three circuits have rejected the “clean hands” exception, 
and instead have embraced the First Circuit’ s Vest rule that the government cannot use the fruits of 
unlawful interception even if the government was not involved in the initial interception. See Berry v. 
Funk . 146 F.3d 1003, 1013 (D.C. Cir. 1998) (dicta); Chandler v. United States Army. 125 F.3d 1296, 
1302 (9th Cir. 1997); In re Grand .fury. Ill F.3d 1066, 1077-78 (3d Cir. 1997). The remaining circuits 
have not addressed whether they will recognize a “clean hands” exception to Title III. 



b) Constitutional Suppression Remedies 

Defendants may move to suppress evidence from electronic surveillance of communications 
networks on either statutory or Fourth Amendment constitutional grounds. Although Fourth 
Amendment violations generally lead to suppression of evidence, see Mapp v. Ohio. 367 U.S. 643, 655 
(1961), defendants move to suppress the fruits of electronic surveillance on constitutional grounds only 
rarely. This is true for two related reasons. First, Congress’s statutory suppression remedies tend to be 
as broad or broader in scope than their constitutional counterparts. See , e.g. . Chandler . 125 F.3d at 
1298; Ford, 553 F.2d at 173. Cf. United States v. Torres. 751 F.2d 875, 884 (7th Cir. 1984) (noting that 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 




CCIPSfinal 



Page 98 of 139 



Title III is a “carefully thought out, and constitutionally valid . . . effort to implement the requirements 
of the Fourth Amendment.”)- Second, electronic surveillance statutes often regulate government access 
to evidence that is not protected by the Fourth Amendment. See United States v. Hall. 488 F.2d 193, 
198 (9th Cir. 1973) (“Every electronic surveillance is not constitutionally proscribed and whether the 
interception is to be suppressed must turn upon the facts of each case.”). For example, the Supreme 
Court has held that the use and installation of pen registers does not constitute a Fourth Amendment 
“search.” See Smith v. Maryland . 442 U.S. 735, 742 (1979). As a result, use of a pen/trap device in 
violation of the pen/trap statute ordinarily does not lead to suppression of evidence on Fourth 
Amendment grounds. See United States v. Thompson . 936 F.2d 1249, 1251 (11th Cir. 1991). 

It is likely that the scope of Fourth Amendment doctrine would also preclude a hacker from 
enjoying a constitutional entitlement to the suppression of unlawful monitoring of his unauthorized 
activity. As the Fourth Circuit noted in Seidlitz . a computer hacker who breaks into a victim computer 
“intrude[s] or trespasse[s] upon the physical property of [the victim] as effectively as if he had broken 
into the . . . facility and instructed the computers from one of the terminals directly wired to the 
machines.” Seidlitz . 589 F.2d at 160. See also CompuServe. Inc, v. Cyber Promotions. Inc. 962 F. 
Supp. 1015, 1021 (S.D. Ohio 1997) (noting cases analogizing computer hacking to trespassing). A 
trespasser does not have a reasonable expectation of privacy where his presence is unlawful. See Rakas 
V. Illinois . 439 U.S. 128, 143 n.l2 (1978) (noting that “[a] burglar plying his trade in a summer cabin 
during the off season may have a thoroughly justified subjective expectation of privacy, but it is not one 
which the law recognizes as ‘legitimate’”); Amezquita v. Colon. 518 F.2d 8, 11 (1st Cir. 1975) (holding 
that squatters had no reasonable expectation of privacy on government land where the squatters had no 
colorable claim to occupy the land). Accordingly, a computer hacker would have no reasonable 
expectation of privacy in his unauthorized activities that were monitored from within a victim 
computer. “[Hjaving been ‘caught with his hand in the cookie jar’ ,” the hacker has no constitutional 
right to the suppression of evidence of his unauthorized activities. Seidlitz. 589 F.2d at 160. 



2. Defenses to Civil and Criminal Actions 

• Agents and prosecutors are generally protected from liability under Title III for reasonable 
decisions made in good faith in the course of their official duties. 

Civil and criminal actions may result when law enforcement officers violate the electronic 
surveillance statutes. In general, the law permits such actions when law enforcement officers abuse their 
authority, but protects officers from suit for reasonable good-faith mistakes made in the course of their 
official duties. The basic approach was articulated over a half century ago by Judge Learned Hand: 

There must indeed be means of punishing public officers who have been truant to their 
duties; but that is quite another matter from exposing such as have been honestly mistaken 
to suit by anyone who has suffered from their errors. As is so often the case, the answer 
must be found in a balance between the evils inevitable in either alternative. 

Gregoire v. Biddle . 177 F.2d 579, 580 (2d Cir. 1949). When agents and prosecutors are subject to civil 
or criminal suits for electronic surveillance, the balance of evils has been struck by both a statutory 
good-faith defense and a widely (but not uniformly) recognized judge -made qualified -immunity defense. 



a) Good -Faith Defense 
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Both Title III and the Pen/Trap statute offer a statutory good -faith defense. According to these 
statutes, 

a good faith reliance on ... a court warrant or order, a grand jury subpoena, a legislative 
authorization, or a statutory authorization ... is a complete defense against any civil or 
criminal action brought under this chapter or any other law. 

18 U.S.C. § 2520(d) (good-faith defense for Title III violations). See also 18 U.S.C. § 3123(e) (good- 
faith defense for pen/trap violations). 

The relatively few cases interpreting the good- faith defense are notably erratic. In general, 
however, the courts have permitted law enforcement officers to rely on the good-faith defense when they 
make honest mistakes in the course of their official duties. See , e.g. . Kilgore v. Mitchell . 623 F.2d 631, 
663 (9th Cir. 1980) (“Officials charged with violation of Title III may invoke the defense of good faith 
under § 2520 if they can demonstrate: (1) that they had a subjective good faith belief that they were 
acting in compliance with the statute; and (2) that this belief was itself reasonable.”); HaHinan v. 
Mitchell. 418 F. Supp. 1056, 1057 (N.D. Cal. 1976) (good- faith exception protects Attorney General 
from civil suit after Supreme Court rejects Attorney General's interpretation of Title III). In contrast, the 
courts have not permitted private parties to rely on good -faith 'mistake of law' defenses in civil 
wiretapping cases. See e.g.. Williams v. Poulos. 11 F. 3d 271, 285 (1st Cir. 19931: Heggy v. Heggy. 944 
F.2d 1537, 1541 (10th Cir. 1991). 



b) Qualified Immunity 

The courts have generally recognized a qualified immunity defense to Title III civil suits in 
addition to the statutory good-faith defense. See Tapley v. Collins. 211 F.3d 1210, 1216 (11th Cir. 

2000) (holding that public officials sued under Title III may invoke qualified immunity in addition to the 
good faith defense); Blake v. Wright. 179 F.3d 1003, 1013 (6th Cir. 1999) (holding that qualified 
immunity protects police chief from suit by employees who were monitored where “the dearth of law 
surrounding the . . . statute fails to clearly establish whether [the defendant's] activities violated the 
law."); Davis v. Zirkelhach. 149 F.3d 614, 618, 620 (7th Cir. 1998) (qualified immunity defense applies 
to police officers and prosecutors in civil wiretapping case); Zweibon v. Mitchell . 720 F.2d 162 (D.C. 
Cir. 1983). But see Berry v. Funk. 146 F.3d 1003, 1013-14 (D.C. Cir. 1998) (distinguishing Zweibon, 
and concluding that qualified immunity does not apply to Title III violations because the statutory good- 
faith defense exists). Under the doctrine of qualified immunity, 

government officials performing discretionary functions generally are shielded from 
liability for civil damages insofar as their conduct does not violate clearly established 
statutory or constitutional rights of which a reasonable person would have known. 

Harlow v. Fitzgerald . 457 U.S. 800, 818 (1982). In general, qualified immunity protects 
government officials from suit when “[t]he contours of the right” violated were not so clear that a 
reasonable official would understand that his conduct violated the law. Anderson v. Creighton . 483 U.S. 
635, 640 (1987); Bums v. Reed. 500 U.S. 478, 496 (1991) (prosecutors receive qualified immunity for 
legal advice to police). 

Of course, whether a statutory right under Title III is “clearly established” is in the eye of the 
beholder. The sensitive privacy interests implicated by Title III may lead some courts to mle that a Title 
III privacy right is “clearly established” even if no courts have recognized the right in analogous 
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circumstances. See , e.g. . McClelland v. McGrath . 31 F. Supp. 616, 619-20 (N.D. 111. 1998) (holding that 
police violated the “clearly established” rights of a kidnaper who used a cloned cellular phone when the 
police asked the cellular provider to intercept the kidnaper’s unauthorized communications to help 
locate the kidnaper, and adding that the kidnaper’s right to be free from monitoring was “crystal clear” 
despite § 2511(2)(a)(i)). 



V. EVIDENCE 



A. Introduction 

Although the primary concern of this manual is obtaining computer records in criminal 
investigations, the ultimate goal is to obtain evidence admissible in court. A complete guide to offering 
computer records in evidence is beyond the scope of this manual. However, this chapter explains some 
of the more important issues that can arise when the government seeks the admission of computer 
records under the Federal Rules of Evidence. 

Most federal courts that have evaluated the admissibility of computer records have focused on 
computer records as potential hearsay. The courts generally have admitted computer records upon a 
showing that the records fall within the business records exception. Fed. R. Evid. 803(6): 



Records of regularly conducted activity. A memorandum, report, record, or data 
compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near 
the time by, or from information transmitted by, a person with knowledge, if kept in the 
course of a regularly conducted business activity, and if it was the regular practice of that 
business activity to make the memorandum, report, record, or data compilation, all as 
shown by the testimony of the custodian or other qualified witness, or by certification that 
complies with Rule 902(1 1), Rule 902(12), or a statute permitting certification, unless the 
source of information or the method or circumstances of preparation indicate lack of 
trustworthiness. The term “business” as used in this paragraph includes business, 
institution, association, profession, occupation, and calling of every kind, whether or not 
conducted for profit. 



See , e.g. . United States v. Cestnik . 36 E.3d 904, 909-10 (10th Cir. 1994); United States v. Moore. 
923 E.2d 910, 914 (1st Cir. 19911: United States v. Briscoe. 896 E.2d 1476, 1494 (7th Cir. 1990); United 
States V. Catabran. 836 E.2d 453, 457 (9th Cir. 1988); Capital Marine Supply v. M/V Roland Thomas II. 
719 E.2d 104, 106 (5th Cir. 1983). Applying this test, the courts have indicated that computer records 
generally can be admitted as business records if they were kept pursuant to a routine procedure for 
motives that tend to assure their accuracy. 

However, the federal courts are likely to move away from this “one size fits all” approach as they 
become more comfortable and familiar with computer records. Eike paper records, computer records 
are not monolithic: the evidentiary issues raised by their admission should depend on what kind of 
computer records a proponent seeks to have admitted. Eor example, computer records that contain text 
often can be divided into two categories: computer-generated records, and records that are merely 
computer- stored. See People v. Holowko. 486 N.E.2d 877. 878-79 till. 1985). The difference hinges 
upon whether a person or a machine created the records' contents. Computer-stored records refer to 
documents that contain the writings of some person or persons and happen to be in electronic form. E- 



http://www.cybercrime.gov/searchmanual.htm 



01/12/2001 





CCIPSfinal 



Page 101 of 139 



mail messages, word processing files, and Internet chat room messages provide common examples. As 
with any other testimony or documentary evidence containing human statements, computer- stored 
records must comply with the hearsay rule. If the records are admitted to prove the truth of the matter 
they assert, the offeror of the records must show circumstances indicating that the human statements 
contained in the record are reliable and trustworthy, see Advisory Committee Notes to Proposed Rule 
801 (1972), and the records must be authentic. 

In contrast, computer- generated records contain the output of computer programs, untouched by 
human hands. Log-in records from Internet service providers, telephone records, and ATM receipts tend 
to be computer -generated records. Unlike computer -stored records, computer -generated records do not 
contain human “statements,” but only the output of a computer program designed to process input 
following a defined algorithm. Of course, a computer program can direct a computer to generate a 
record that mimics a human statement: an e-mail program can announce “You've got mail!” when mail 
arrives in an inbox, and an ATM receipt can state that $100 was deposited in an account at 2:25 pm. 
However, the fact that a computer rather than a human being has created the record alters the evidentiary 
issues that the computer -generated records present. See, e.g.. 2 J. Strong, McCormick on Evidence § 
294, at 286 (4th ed. 1992). The evidentiary issue is no longer whether a human's out-of-court statement 
was truthful and accurate (a question of hearsay), but instead whether the computer program that 
generated the record was functioning properly (a question of authenticity). See id.: Richard O. Lempert 
& Steven A. Saltzburg, A Modem Approach to Evidence 370 (2d ed. 1983); Holowko. 486 N.E.2d at 
878-79. 

Finally, a third category of computer records exists: some computer records are both computer- 
generated and computer-stored. For example, a suspect in a fraud case might use a spreadsheet program 
to process financial figures relating to the fraudulent scheme. A computer record containing the output 
of the program would derive from both human statements (the suspect's input to the spreadsheet 
program) and computer processing (the mathematical operations of the spreadsheet program). 
Accordingly, the record combines the evidentiary concerns raised by computer-stored and computer- 
generated records. The party seeking the admission of the record should address both the hearsay issues 
implicated by the original input and the authenticity issues raised by the computer processing. 

As the federal courts develop a more nuanced appreciation of the distinctions to be made between 
different kinds of computer records, they are likely to see that the admission of computer records 
generally raises two distinct issues. First, the government must establish the authenticity of all computer 
records by providing “evidence sufficient to support a finding that the matter in question is what its 
proponent claims.” Fed. R. Evid. 901(a). Second, if the computer records are computer- stored records 
that contain human statements, the government must show that those human statements are not 
inadmissible hearsay. 



B. Authentication 

Before a party may move for admission of a computer record or any other evidence, the proponent 
must show that it is authentic. That is, the government must offer evidence “sufficient to support a 
finding that the [computer record or other evidence] in question is what its proponent claims.” Fed. R. 
Evid. 901(a). See United States v. Simpson. 152 F.3d 1241, 1250 (10th Cir. 1998). 

The standard for authenticating computer records is the same for authenticating other records. The 
degree of authentication does not vary simply because a record happens to be (or has been at one point) 
in electronic form. See United States v. DeGeorgia . 420 F.2d 889, 893 n.ll (9th Cir. 19691: United 
States V. Vela . 673 F.2d 86, 90 (5th Cir. 1982). But see United States v. Scholle. 553 F.2d 1109, 1125 
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(8th Cir. 1977) (stating in dicta that “the complex nature of computer storage calls for a more 
comprehensive foundation”). For example, witnesses who testify to the authenticity of computer 
records need not have special qualifications. The witness does not need to have programmed the 
computer himself, or even need to understand the maintenance and technical operation of the computer. 
See United States v. Moore. 923 F.2d 910, 915 (1st Cir. 1991) (citing cases). Instead, the witness 
simply must have first-hand knowledge of the relevant facts to which she testifies. See generally United 
States V. Whitaker . 127 F.3d 595, 601 (7th Cir. 1997) (FBI agent who was present when the defendant's 
computer was seized can authenticate seized files) : United States v. Miller. 771 F.2d 1219, 1237 (9th 
Cir. 1985) (telephone company billing supervisor can authenticate phone company records); Moore. 923 
F.2d at 915 (head of bank's consumer loan department can authenticate computerized loan data). 

Challenges to the authenticity of computer records often take on one of three forms. First, parties 
may challenge the authenticity of both computer- generated and computer- stored records by questioning 
whether the records were altered, manipulated, or damaged after they were created. Second, parties may 
question the authenticity of computer -generated records by challenging the reliability of the computer 
program that generated the records. Third, parties may challenge the authenticity of computer-stored 
records by questioning the identity of their author. 



1. Authenticity and the Alteration of Computer Records 

Computer records can be altered easily, and opposing parties often allege that computer records 
lack authenticity because they have been tampered with or changed after they were created. For 
example, in United States v. Whitaker . 127 F.3d 595, 602 (7th Cir. 1997), the government retrieved 
computer files from the computer of a narcotics dealer named Frost. The files from Frost's computer 
included detailed records of narcotics sales by three aliases: “Me” (Frost himself, presumably), 

“Gator” (the nickname of Frost's co-defendant Whitaker), and “Cruz” (the nickname of another dealer). 
After the government permitted Frost to help retrieve the evidence from his computer and declined to 
establish a formal chain of custody for the computer at trial, Whitaker argued that the files implicating 
him through his alias were not properly authenticated. Whitaker argued that “with a few rapid 
keystrokes. Frost could have easily added Whitaker's alias, 'Gator' to the printouts in order to finger 
Whitaker and to appear more helpful to the government.” Id. at 602. 

The courts have responded with considerable skepticism to such unsupported claims that computer 
records have been altered. Absent specific evidence that tampering occurred, the mere possibility of 
tampering does not affect the authenticity of a computer record. See Whitaker . 127 F.3d at 602 
(declining to disturb trial judge's ruling that computer records were admissible because allegation of 
tampering was “almost wild-eyed speculation . . . [without] evidence to support such a scenario”); 

United States v. Bonallo. 858 F.2d 1427, 1436 (9th Cir. 1988) (“The fact that it is possible to alter data 
contained in a computer is plainly insufficient to establish untrustworthiness.”); United States v. Glasser. 
773 F.2d 1553 (11th Cir. 1985) (“The existence of an air-tight security system [to prevent tampering] is 
not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it 
would become virtually impossible to admit computer-generated records; the party opposing admission 
would have to show only that a better security system was feasible.”). This is consistent with the rule 
used to establish the authenticity of other evidence such as narcotics. See United States v. Allen . 106 
F.3d 695, 700 (6th Cir. 1997) (“Merely raising the possibility of tampering is insufficient to render 
evidence inadmissible.”). Absent specific evidence of tampering, allegations that computer records have 
been altered go to their weight, not their admissibility. See Bonallo. 858 F.2d at 1436. 



2. Establishing the Reliability of Computer Programs 
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The authenticity of computer- generated records sometimes implicates the reliability of the 
computer programs that create the records. For example, a computer -generated record might not be 
authentic if the program that creates the record contains serious programming errors. If the program's 
output is inaccurate, the record may not be “what its proponent claims” according to Fed. R. Evid. 901. 

Defendants in criminal trials often attempt to challenge the authenticity of computer -generated 
records by challenging the reliability of the programs. See, e.g. . United States v. Dioguardi. 428 F.2d 
1033, 1038 (2d Cir. 1970); United States v. Liebert. 519 F.2d 542, 547-48 (3d Cir. 1975). The courts 
have indicated that the government can overcome this challenge so long as 

the government provides sufficient facts to warrant a finding that the records are 
trustworthy and the opposing party is afforded an opportunity to inquire into the accuracy 
thereof [.] 

United States v. Briscoe . 896 F.2d 1476, 1494 (7th Cir. 1990). See also Liebert. 519 F.2d at 547; 
DeGeorgia . 420 F.2d. at 893 n. 1 1. Compare Fed. R. Evid. 901(b)(9) (indicating that matters created 
according to a process or system can be authenticated with “[ejvidence describing a process or system 
used . . . and showing that the process or system produces an accurate result”). In most cases, the 
reliability of a computer program can be established by showing that users of the program actually do 
rely on it on a regular basis, such as in the ordinary course of business. See, e.g.. United States v. Moore. 
923 E.2d 910, 915 (1st Cir. 1991) (“[T]he ordinary business circumstances described suggest 
trustworthiness, ... at least where absolutely nothing in the record in any way implies the lack 
thereof.”) (computerized tax records held by the I.R.S.); Briscoe. 896 E.2d at 1494 (computerized 
telephone records held by Illinois Bell). When the computer program is not used on a regular basis and 
the government cannot establish reliability based on reliance in the ordinary course of business, the 
government may need to disclose “what operations the computer had been instructed to perform [as well 
as] the precise instruction that had been given” if the opposing party requests. Dioguardi. 428 E.2d at 
1038. Notably, once a minimum standard of trustworthiness has been established, questions as to the 
accuracy of computer records “resulting from . . . the operation of the computer program” affect only the 
weight of the evidence, not its admissibility. United States v. Catabran. 836 E.2d 453, 458 (9th Cir. 
1988). 

Prosecutors may note the conceptual overlap between establishing the authenticity of a computer- 
generated record and establishing the trustworthiness of a computer record for the business record 
exception to the hearsay rule. In fact, federal courts that evaluate the authenticity of computer -generated 
records often assume that the records contain hearsay, and then apply the business records exception. 
See , e.g. . United States v. Linn . 880 E.2d 209, 216 (9th Cir. 1989) (applying business records exception 
to telephone records generated “automatically” by a computer); United States v. Vela. 673 E.2d 86, 89- 
90 (5th Cir. 1982) (same). As discussed later in this chapter, this analysis is technically incorrect in 
many cases: computer records generated entirely by computers cannot contain hearsay and cannot 
qualify for the business records exception because they do not contain human “statements.” See Part C, 
infra . As a practical matter, however, prosecutors who lay a foundation to establish a computer - 
generated record as a business record will also lay the foundation to establish the record's authenticity. 
Evidence that a computer program is sufficiently trustworthy so that its results qualify as business 
records according to Led. R. Evid. 803(6) also establishes the authenticity of the record. Compare 
United States v. Saputski . 496 E.2d 140, 142 (9th Cir. 1974). 



3. Identifying the Author of Computer- Stored Records 

Although handwritten records may be penned in a distinctive handwriting style, computer-stored 
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records consist of a long string of zeros and ones that do not necessarily identify their author. This is a 
particular problem with Internet communications, which offer their authors an unusual degree of 
anonymity. For example, Internet technologies permit users to send effectively anonymous e-mails, and 
Internet Relay Chat channels permit users to communicate without disclosing their real names. When 
prosecutors seek the admission of such computer-stored records against a defendant, the defendant may 
challenge the authenticity of the record by challenging the identity of its author. 

Circumstantial evidence generally provides the key to establishing the authorship and authenticity 
of a computer record. For example, in United States v. Simpson. 152 F.3d 1241 (10th Cir. 1998), 
prosecutors sought to show that the defendant had conversed with an undercover FBI agent in an 
Internet chat room devoted to child pornography. The government offered a printout of an Internet chat 
conversation between the agent and an individual identified as “Stavron,” and sought to show that 
“Stavron” was the defendant. The district court admitted the printout in evidence at trial. On appeal 
following his conviction, Simpson argued that “because the government could not identify that the 
statements attributed to [him] were in his handwriting, his writing style, or his voice,” the printout had 
not been authenticated and should have been excluded. Id^ at 1249. 

The Tenth Circuit rejected this argument, noting the considerable circumstantial evidence that 
“Stavron” was the defendant. See id. at 1250. For example, “Stavron” had told the undercover agent 
that his real name was 'B. Simpson,' gave a home address that matched Simpson's, and appeared to be 
accessing the Internet from an account registered to Simpson. Further, the police found records in 
Simpson's home that listed the name, address, and phone number that the undercover agent had sent to 
“Stavron.” Accordingly, the government had provided evidence sufficient to support a finding that the 
defendant was “Stavron,” and the printout was properly authenticated. See id. at 1250. See alsoUnited 
States V. Tank . 200 F.3d 627, 630-31 (9th Cir. 2000) (concluding that district court properly admitted 
chat room log printouts in circumstances similar to those in Simpson). But see United States v. .lackson. 
208 F.3d 633, 638 (7th Cir. 2000) (concluding that web postings purporting to be statements made by 
white supremacist groups were properly excluded on authentication grounds absent evidence that the 
postings were actually posted by the groups). 



C. Hearsay 

Federal courts have often assumed that all computer records contain hearsay. A more nuanced 
view suggests that in fact only a portion of computer records contain hearsay. When a computer record 
contains the assertions of a person, whether or not processed by a computer, and is offered to prove the 
truth of the matter asserted, the record can contain hearsay. In such cases, the government must fit the 
record within a hearsay exception such as the business records exception. Fed. R. Evid. 803(6). When 
a computer record contains only computer -generated data untouched by human hands, however, the 
record cannot contain hearsay. In such cases, the government must establish the authenticity of the 
record, but does not need to establish that a hearsay exception applies for the records to be admissible in 
court. 



1. Inapplicability of the Hearsay Rules to Computer-Generated Records 

The hearsay rules exist to prevent unreliable out-of-court statements by human declarants from 
improperly influencing the outcomes of trials. Because people can misinterpret or misrepresent their 
experiences, the hearsay rules express a strong preference for testing human assertions in court, where 
the declarant can be placed on the stand and subjected to cross-examination. See Ohio v. Roberts. 448 
U.S. 56, 62-66 (1980). This rationale does not apply when an animal or a machine makes an assertion: 
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beeping machines and barking dogs cannot be called to the witness stand for cross-examination at trial. 
The Federal Rules have adopted this logic. By definition, an assertion cannot contain hearsay if it was 
not made by a human person. See Fed. R. Evid. 801(a) (“A 'statement' is (1) an oral or written assertion 
or (2) nonverbal conduct of a person, if it is intended by the person as an assertion.”) (emphasis added) ; 
Fed. R. Evid. 801(b) (“A declarant is a person who makes a statement.”) (emphasis added). 

As several courts and commentators have noted, this limitation on the hearsay rules necessarily 
means that computer- generated records untouched by human hands cannot contain hearsay. One state 
supreme court articulated the distinction in an early case involving the use of automated telephone 
records: 



The printout of the results of the computer’s internal operations is not hearsay evidence. It 
does not represent the output of statements placed into the computer by out of court 
declarants. Nor can we say that this printout itself is a “statement” constituting hearsay 
evidence. The underlying rationale of the hearsay rule is that such statements are made 
without an oath and their truth cannot be tested by cross-examination. Of concern is the 
possibility that a witness may consciously or unconsciously misrepresent what the declarant 
told him or that the declarant may consciously or unconsciously misrepresent a fact or 
occurrence. With a machine, however, there is no possibility of a conscious 
misrepresentation, and the possibility of inaccurate or misleading data only materializes if 
the machine is not functioning properly. 



State V. Armstead . 432 So.2d 837, 840 (Ea. 1983). See also People v. Holowko. 486 N.E.2d 877, 
878-79 (111. 1985) (automated trap and trace records); United States v. Duncan. 30 M.J. 1284, 1287-89 
(N-M.C.M.R. 1990) (computerized records of ATM transactions); 2 J. Strong, McCormick on Evidence 
§ 294, at 286 (4th ed.l992); Richard O. Eempert & Stephen A. Saltzburg, A Modem Approach to 
Evidence 370 (2d ed. 1983). Cf. United States v. Eemandez -Roque. 703 E.2d 808, 812 n.2 (5th Cir. 
1983) (rejecting hearsay objection to admission of automated telephone records because “the fact that 
these calls occurred is not a hearsay statement”). Accordingly, a properly authenticated computer- 
generated record is admissible. See Eempert & Saltzburg, at 370. 

The insight that computer -generated records cannot contain hearsay is important because courts 
that assume the existence of hearsay may wrongfully exclude computer -generated evidence if a hearsay 
exception does not apply. Eor example, in United States v. Blackburn. 992 E.2d 666 (7th Cir. 1993), a 
bank robber left his eyeglasses behind in an abandoned stolen car. The prosecution's evidence against 
the defendant included a computer printout from a machine that tests the curvature of eyeglass lenses; 
the printout revealed that the prescription of the eyeglasses found in the stolen car exactly matched the 
defendant's. At trial, the district court assumed that the computer printout was hearsay, but concluded 
that the printout was an admissible business record according to Eed. R. Evid. 803(6). On appeal 
following conviction, the Seventh Circuit also assumed that the printout contained hearsay, but agreed 
with the defendant that the printout could not be admitted as a business record: 



the [computer -generated] report in this case was not kept in the course of a regularly 
conducted business activity, but rather was specially prepared at the behest of the EBI and 
with the knowledge that any information it supplied would be used in an ongoing criminal 
investigation. ... In finding this report inadmissible under Rule 803(6), we adhere to the 
well-established rule that documents made in anticipation of litigation are inadmissible 
under the business records exception. 
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Id. at 670. See also Fed. R. Evid. 803(6) (stating that business records must be “made ... by, or 
transmitted by, a person”). 

Fortunately, the Blackburn court ultimately affirmed the conviction, concluding that the computer 
printout was sufficiently reliable that it could have been admitted under the residual hearsay exception. 
Rule 803(24). See id. at 672. However, instead of considering a reversal of the conviction because Rule 
803(6) did not apply, the court should have asked whether the computer printout from the lens -testing 
machine contained hearsay at all. This question would have revealed that the computer-generated 
printout could not be excluded properly on hearsay grounds because it contained no human 
“statements.” 



2. Applicability of the Hearsay Rules to Computer- Stored Records 

Computer-stored records that contain human statements must satisfy an exception to the hearsay 
rule if they are offered for the truth of the manner asserted. Before a court will admit the records, the 
court must establish that the statements contained in the record were made in circumstances that tend to 
ensure their trustworthiness. See , e.g. . .lackson . 208 F.3d at 637 (concluding that postings from the 
websites of white supremacist groups contained hearsay, and rejecting the argument that the postings 
were the business records of the ISPs that hosted the sites). 

As discussed in the Introduction to this chapter, courts generally permit computer-stored records to 
be admitted as business records according to Fed. R. Evid. 803(6). Different circuits have articulated 
slightly different standards for the admissibility of computer- stored business records. Some courts 
simply apply the direct language of Fed. R. Evid. 803(6), which appears in the beginning of this 
chapter. See e.g. .United States v. Moore. 923 F.2d 910, 914 (1st Cir. 19911: United States v. Catabran. 
836 F.2d 453, 457 (9th Cir. 1988). Other circuits have articulated doctrinal tests specifically for 
computer records that largely (but not exactly) track the requirements of Rule 803(6). See, e.g.. United 
States V. CestniL 36 F.3d 904, 909-10 (10th Cir. 1994) (“Computer business records are admissible if 
(1) they are kept pursuant to a routine procedure designed to assure their accuracy, (2) they are created 
for motives that tend to assure accuracy t e.g.. not including those prepared for litigation), and (3) they 
are not themselves mere accumulations of hearsay.”) (quoting Capital Marine Supply v. MA^ Roland 
Thomas II . 719 F.2d 104, 106 (5th Cir. 1983)); United States v. Briscoe. 896 F.2d 1476, 1494 (7th Cir. 
1990) (computer-stored records are admissible business records if they “are kept in the course of 
regularly conducted business activity, and [that it] was the regular practice of that business activity to 
make records, as shown by the testimony of the custodian or other qualified witness.”) t quoting United 
States V. Chappell . 698 F.2d 308, 311 (7th Cir. 1983)). Notably, the printout itself may be produced in 
anticipation of litigation without running afoul of the business records exception. The requirement that 
the record be kept “in the course of a regularly conducted business activity” refers to the underlying 
data, not the actual printout of that data. See United States v. Sanders. 749 F.2d 195, 198 (5th Cir. 

1984). 

From a practical perspective, the procedure for admitting a computer-stored record pursuant to the 
business records exception is the same as admitting any other business record. Consider an e-mail 
harassment case. To help establish that the defendant was the sender of the harassing messages, the 
prosecution may seek the introduction of records from the sender’s ISP showing that the defendant was 
the registered owner of the account from which the e-mails were sent. Ordinarily, this will require 
testimony from an employee of the ISP (“the custodian or other qualified witness”) that the ISP 
regularly maintains customer account records for billing and other purposes, and that the records to be 
offered for admission are such records that were made at or near the time of the events they describe in 
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the regular course of the ISP’s business. Again, the key is establishing that the computer system from 
which the record was obtained is maintained in the ordinary course of business, and that it is a regular 
practice of the business to rely upon those records for their accuracy. 

The business record exception is the most common hearsay exception applied to computer 
records. Of course, other hearsay exceptions may be applicable in appropriate cases. See, e.g.. Hughes 
V. United States . 953 F.2d 531, 540 (9th Cir. 1992) (concluding that computerized IRS forms are 
admissible as public records under Fed. R. Evid. 803(8)). 



D. Other Issues 

The authentication requirement and the hearsay rule usually provide the most significant hurdles 
that prosecutors will encounter when seeking the admission of computer records. However, some agents 
and prosecutors have occasionally considered two additional issues: the application of the best evidence 
rule to computer records, and whether computer printouts are “summaries” that must comply with Fed. 
R. Evid. 1006. 

1. The Best Evidence Rule 

The best evidence rule states that to prove the content of a writing, recording, or photograph, the 
“original” writing, recording, or photograph is ordinarily required. See Eed. R. Evid. 1002. Agents and 
prosecutors occasionally express concern that a mere printout of a computer-stored electronic file may 
not be an “original” for the purpose of the best evidence rule. After all, the original file is merely a 
collection of O's and I's; in contrast, the printout is the result of manipulating the file through a 
complicated series of electronic and mechanical processes. 

Eortunately, the Eederal Rules of Evidence have expressly addressed this concern. The Eederal 
Rules state that 



[i]f data are stored in a computer or similar device, any printout or other output readable by 
sight, shown to reflect the data accurately, is an “original”. 



Eed. R. Evid. 1001(3). Thus, an accurate printout of computer data always satisfies the best 
evidence rule. See Doe v. United States . 805 E. Supp. 1513, 1517 (D. Hawaii. 1992). According to the 
Advisory Committee Notes that accompanied this rule when it was first proposed, this standard was 
adopted for reasons of practicality: 



While strictly speaking the original of a photograph might be thought to be only the 
negative, practicality and common usage require that any print from the negative be 
regarded as an original. Similarly, practicality and usage confer the status of original upon 
any computer printout. 



Advisory Committee Notes, Proposed Eederal Rule of Evidence 1001(3) (1972). 
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2. Computer Printouts as “Summaries” 

Federal Rule of Evidence 1006 permits parties to offer summaries of voluminous evidence in the 
form of “a chart, summary, or calculation” subject to certain restrictions. Agents and prosecutors 
occasionally ask whether a computer printout is necessarily a “summary” of evidence that must comply 
with Fed. R. Evid. 1006. In general, the answer is no. See Sanders. 749 F.2d at 199; Catabran. 836 F.2d 
at 456-57; United States v. Russo. 480 F.2d 1228, 1240-41 (6th Cir. 1973). Of course, if the computer 
printout is merely a summary of other admissible evidence. Rule 1006 will apply just as it does to other 
summaries of evidence. 



VI. APPENDICES 



Appendix A: Sample Network Banner Language 

Network banners are electronic messages that provide notice of legal rights to users of computer 
networks. From a legal standpoint, banners have four primary functions. First, banners may be used to 
generate consent to real-time monitoring under Title III. Second, banners may be used to generate 
consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government 
networks, banners may eliminate any Fourth Amendment “reasonable expectation of privacy” that 
government employees or other users might otherwise retain in their use of the government’s network 
under O’Connor v. Ortega . 480 U.S. 709 (1987). Fourth, in the case of a non -government network, 
banners may establish a system administrator’s “common authority” to consent to a law enforcement 
search pursuant to United States v. Matlock. 415 U.S. 164 (1974). 

CCIPS does not take any position on whether providers of network services should use network 
banners, and, if so, what types of banners they should use. Further, there is no formal “magic language” 
that is necessary. However, it is important to realize that banners may be worded narrowly or broadly, 
and the scope of consent and waiver triggered by a particular banner will in general depend on the scope 
of its language. Here is a checklist of issues that may be considered when drafting a banner: 



a) Does the banner state that use of the network constitutes consent to monitoring? Such a 
statement helps establish the user’s consent to real-time interception pursuant to 18 U.S.C. 
2511(2)(d). 

b) Does the banner state that use of the network constitutes consent to the retrieval and 
disclosure of information stored on the network? Such a statement helps establish the 
user’s consent to the retrieval and disclosure of stored information pursuant to 18 U.S.C. § 
2702(b)(3) and § 2703(c)(l)(B)(iii). 

c) In the case of a government network, does the banner state that a user of the network 
shall have no reasonable expectation of privacy in the network? Such a statement helps 
establish that the user lacks a reasonable expectation of privacy pursuant to O’Connor v. 
Ortega, 480 U.S. 709 (1987). 

d) In the case of a non- government network, does the banner make clear that the network 
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system administrator(s) may consent to a law enforcement search? Such a statement helps 
establish the system administrator’ s common authority to consent to a search under United 
States V. Matlock . 415 U.S. 164 (1974). 

e) Does the banner contain express or implied limitations or authorizations relating to the 
purpose of any monitoring, who may conduct the monitoring, and what will be done with 
the fruits of any monitoring? 

f) Does the banner require users to “click through” or otherwise acknowledge the banner 
before using the network? Such a step may make it easier to establish that the network user 
actually received the notice that the banner is designed to provide. 



Network providers who decide to banner all or part of their network should consider their needs and the 
needs of their users carefully before selecting particular language. For example, a sensitive government 
computer network may require a broadly worded banner that permits access to all types of electronic 
information. Here are three examples of broad banners: 



(1) WARNING! This computer system is the property of the United States Department of 
Justice. The Department may monitor any activity on the system and retrieve any 
information stored within the system. By accessing and using this computer, you are 
consenting to such monitoring and information retrieval for law enforcement and other 
purposes. Users should have no expectation of privacy as to any communication on or 
information stored within the system, including information stored locally on the hard drive 
or other media in use with this unit (e.g., floppy disks, tapes, CD-ROMs, etc.). 

(2) This is a Department of Defense (DoD) computer system. DoD computer systems are 
provided for the processing of Official U.S. Government information only. All data 
contained within DoD computer systems is owned by the Department of Defense, and may 
be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed 
in any manner, by authorized personnel. THERE IS NO RIGHT OE PRIVACY IN THIS 
SYSTEM. System personnel may disclose any potential evidence of crime found on DoD 
computer systems for any reason. USE OE THIS SYSTEM BY ANY USER. A UTHORI7ED 
OR UNAUTHORI7ED. CONSTITUTES CONSENT TO THIS MONITORING. 
INTERCEPTION. RECORDING. READING. COPYING, or CAPTURING and 
DISCLOSURE. 



(3) You are about to access a United States government computer network that is intended 
for authorized users only. You should have no expectation of privacy in your use of this 
network. Use of this network constitutes consent to monitoring, retrieval, and disclosure of 
any information stored within the network for any purpose including criminal prosecution. 



In other cases, network providers may wish to establish a more limited monitoring policy. Here 
are three examples of relatively narrow banners that will generate consent to monitoring in some 
situations but not others: 
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{4} This computer network belongs to the Grommie Corporation and may be used only by 
Grommie Corporation employees and only for work-related purposes. The Grommie 
Corporation reserves the right to monitor use of this network to ensure network security 
and to respond to specific allegations of employee misuse. Use of this network shall 
constitute consent to monitoring for such purposes. In addition, the Grommie Corporation 
reserves the right to consent to a valid law enforcement request to search the network for 
evidence of a crime stored within the network. 

(5) Warning: Patrons of the Cyber -Fun Internet Cafe may not use its computers to access, 
view, or obtain obscene materials. To ensure compliance with this policy, the Cyber-Fun 
Internet Cafe reserves the right to record the names and addresses of World Wide Web sites 
that patrons visit using Cyber-Fun Internet Cafe computers. 

(6) It is the policy of the law firm of Rowley & Yzaguirre to monitor the Internet access of 
its employees to ensure compliance with law firm policies. Accordingly, your use of the 
Internet may be monitored. The firm reserves the right to disclose the fruits of any 
monitoring to law enforcement if it deems such disclosure to be appropriate. 



Appendix B: Sample 18 U.S.C. § 2703(d) 
Application and Order 

UNITED STATES DISTRICT COURT 
EOR THE DISTRICT OE 



) 

IN RE APPEICATION OE ) 

THEUNITED STATES OE AMERICA EOR ) 

AN ORDER PURSUANT TO ) 

18 U.S.C. § 2703(d) ) 



MISC. NO. 



Filed Under Seal 



APPEICATION [Name], an Assistant United States Attorney for the District of , 

hereby files under seal this ex parte application for an order pursuant to 18 U.S.C. Section 2703(d) to 
require [Internet Service Provider], [mailing address], to provide records and other information 
pertaining to the [Internet Service Provider] network account that was assigned Internet Protocol 

address [xxx.xxx.xxx.xxx] on [date] and [time]. 

The records and other information requested are set forth as Attachment 1 to the Application and to the 
proposed Order. In support of this Application, the United States offers the following: 

EACTUAE BACKGROUND 

1 . The United States Government, including the Eederal Bureau of Investigation and the Department 
of Justice, is investigating intrusions into a number of computers in the United States and abroad that 
occurred on [date], and which may be continuing. These computer intrusions are being investigated as 
possible violations of 18 U.S.C. § 1030 (damage and unauthorized access to a protected computer) and § 
2511 (unlawful interception of electronic communications). Investigation to date of these incidents 
provides reasonable grounds to believe that [Internet Service Provider] has records and other 
information pertaining to certain of its subscribers that are relevant and material to an ongoing criminal 
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investigation. 

2. In particular, on [date], [victim] discovered an unauthorized intrusion into its computer system, and, 

specifically, into the following computers: . Investigation into this incident revealed that 

the intruder had obtained so-called “root” or system administrator level access into the 

computer, effectively giving the intruder complete control of the system. The computer is a 

“protected computer” according to 18 U.S.C. § 1030(e)(2). Accordingly, this unauthorized intrusion 
constitutes a criminal violation of 18 U.S.C. § 1030(a)(2). 

3. On [date], the intruder(s) again connected to the computer, and again obtained 

unauthorized “root” access. During that intrusion, investigators recorded the unique Internet Protocol 
address of the source of the intrusion, [xxx.xxx.xxx.xxx]. Investigators later determined that this 
address belongs to [Internet Service Provider]. [Internet Service Provider] provides both electronic 
communications services (access to e-mail and the Internet) and remote computing services (access to 
computers for the storage and processing of data) to its customers and subscribers using a range of 
assigned Internet Protocol addresses that include the address of the intrusion. 

4. Obtaining the records of customer and subscriber information relating to the [Internet Service 
Provider] account that was assigned address [xxx.xxx.xxx.xxx] on [date] and [time], as well as the 
contents of electronic communications (not in electronic storage) associated with that account, will help 
government investigators identify the individual(s) who are responsible for the unauthorized access of 
the computer systems described above and to determine the nature and scope of the intruder’s activities. 
In particular, the [Internet Service Provider] customer who was assigned this Internet Protocol address at 
that particular time may be the person responsible for the unauthorized intrusion. Alternatively, records 
of the customer’s account may offer clues that will permit investigators to “trace back” the intrusion to 
its source. 



URGAU BACKGROUND 

5. 18 U.S.C. § 2703 sets out particular requirements that the government must meet in order to obtain 
access to the records and other information in the possession of providers of “electronic communications 
services” and/or “remote computing services.” [Internet Service Provider] functions both as an 
electronic communications service provider — that is, it provides its subscribers access to electronic 
communication services, including e-mail and the Internet - and as a remote computing service provider 
- it provides computer facilities for the storage and processing of electronic communications - as those 
terms are used in 18 U.S.C. § 2703. [Note that because a “remote computing service” is public by 
debnition, this statement must be modified if you are seeking information from a service provider 
who is not a provider to the public, such as, for example, a university.] 

6. Here, the government seeks to obtain three categories of records: (1) basic subscriber information; 
(2) records and other information, including connection logs, pertaining to certain subscribers; and 

[Add only if the application seeks to obtain the contents of communications (such as e-mails) 
pursuant to § 2703(b), as opposed to mere records pursuant to § 2703(c).] (3) the content of 
electronic communications in a remote computing service (but not communications in electronic 
storage). - 

7. To obtain basic subscriber information, such as the subscriber’s name, address, billing 
information, and other identifying records, the government needs only a subpoena; however, the 
government may also compel such information through an order issued pursuant to section 2703(d). See 
18 U.S.C. § 2703(c)(1)(C). To obtain other types of records and information pertaining to the 
subscribers or customers of service providers, including connection logs and other audit information, the 
government must comply with the dictates of sections 2703(c)(1)(B) and 2703(d). Section § 2703(c)(1) 
(B) provides in pertinent part: 

A provider of electronic communication service or remote computing service shall disclose a record or 
other information pertaining to a subscriber to or customer of such service (not including the contents of 
communications covered by subsection (a) or (b) of this section) to a governmental entity only when the 
governmental entity . . . obtains a court order for such disclosure under subsection (d) of this section; 
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8. [Add only if the application seeks to obtain the contents of communications (such as e-mails) 
pursuant to § 2703(b), as opposed to mere records pursuant to § 2703(c).] To obtain the contents of 
electronic communications held by a remote computing service (but not the contents in “electronic 
storage,” see n.l), the government must comply with 2703(b)(1)(B), which provides, in pertinent part: 

A governmental entity may require a provider of remote computing service to disclose the 
contents of any electronic communication to which this paragraph is made applicable by 
paragraph 2 of this subsection . . . with prior notice from the government entity to the 
subscriber or customer if the governmental entity . . . obtains a court order for such 
disclosure under subsection (d) of this section .... except that delayed notice may be given 
pursuant to section 2705 of this title. 

Paragraph 2 of subsection 2703(b) applies with respect to any electronic communication 
that is held or maintained on a remote computing service- 

(A) on behalf of, and received by means of electronic transmission from (or created by 
means of computer processing of communications received by means of electronic 
transmission from), a subscriber or customer of such remote computing service; and 

(B) solely for the purpose of providing storage or computer processing services to such 
subscriber or customer, if the provider is not authorized to access the contents of any such 
communications for purposes of providing any services other than storage or computer 
processing. 



Therefore, communications described by paragraph 2 of subsection 2703(b) include the content of 
electronic mail that has been opened, viewed, downloaded, or otherwise accessed by the recipient and is 
held remotely by the service provider on its computers. 

9. All of the information the government seeks from [Internet Service Provider] through this 
application may be compelled through an order that complies with section 2703(d). Section 2703(d) 
provides in pertinent part: 

A court order for disclosure under subsection . . . (c) may be issued by any court that is a 
court of competent jurisdiction described in section 3127(2)(A)- and shall issue only if the 
governmental entity offers specific and articulable facts showing that there are reasonable 
grounds to believe that the . . . records or other information sought, are relevant and material 
to an ongoing criminal investigation. ... A court issuing an order pursuant to this section, 
on a motion made promptly by the service provider, may quash or modify such order, if the 
information or records requested are unusually voluminous in nature or compliance with 
such order otherwise would cause an undue burden on such provider. 



Accordingly, this application sets forth facts showing there are reasonable grounds to believe that 
the materials sought are relevant and material to the ongoing criminal investigation. 

GOVRRNMRNT’S REOURST 

10. The government requests that [Internet Service Provider] be directed to produce all records 
described in Attachment 1 to this Application. This information is directly relevant to identifying the 
individual(s) responsible for the crime under investigation. The information requested should be 
readily accessible to [Internet Service Provider] by computer search, and its production should not 
prove to be unduly burdensome. [Undersigned should check with the ISP before filing this 
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document to ensure the accuracy of this statement.] 

11. The United States requests that this Application and Order be sealed by the Court until such 
time as the court directs otherwise. 

12. The United States further requests that pursuant to the preclusion of notice provisions of 18 
U.S.C. § 2705(b), that [Internet Service Provider] be ordered not to notify any person (including the 
subscriber or customer to which the materials relate) of the existence of this order for such period as the 
court deems appropriate. The United States submits that such an order is justified because notification 
of the existence of this order could seriously jeopardize the ongoing investigation. Such a disclosure 
could give the subscriber an opportunity to destroy evidence, notify confederates, or flee or continue his 
flight from prosecution. 

13. [Add only if the application seeks to obtain the contents of communications pursuant to 
§ 2703(b), as opposed to mere records pursuant to § 2703(c):] The United States further requests, 
pursuant to the delayed notice provisions of 18 U.S.C. § 2705(a), an order delaying any notification to 
the subscriber or customer that may be required by § 2703(b) to obtain the contents of communications, 
for a period of 90 days. Providing prior notice to the subscriber or customer could seriously jeopardize 
the ongoing investigation, as such a disclosure would give the subscriber an opportunity to destroy 
evidence, change patterns of behavior, notify confederates, or flee or continue his flight from 
prosecution. [Optional Baker Act language to use if the ISP is a university: The United States 
further requests that [Internet Service Provider] ’s compliance with the delayed notification 
provisions of this Order shall be deemed authorized under 20 U.S.C. § I232g(b)(I)(j)(ii) (the 
“Baker Act”). See 34 CFR § 99.31 (a)(9)(i) (exempting requirement of prior notice for disclosures 
made to comply with a judicial order or lawfully issued subpoena where the disclosure is made 
pursuant to “any other subpoena issued for a law enforcement purpose and the court or other 
issuing agency has ordered that the existence or the contents of the subpoena or the information 
furnished in response to the subpoena not be disclosed”)] . 

WHEREFORE, it is respectfully requested that the Court grant the attached Order, (1) directing 
[Internet Service Provider] to provide the United States with the records and information described in 
Attachment 1; (2) directing that the Application and Order be sealed; (3) directing [Internet Service 
Provider] not to disclose the existence or content of the Order, except to the extent necessary to carry out 
the Orders; and [Use only if the application seeks to obtain the contents of communications 
pursuant to § 2703(b)] (4) directing that the notification by the government otherwise required by 18 
U.S.C. § 2703(b) be delayed for ninety days. 

Respectfully Submitted, 



Assistant United States Attorney 



ATTACHMENT I 

You are to provide the following information as printouts and as ASCII data files (on 8 mm helical scan 
tape for Unix host), if available: 

A. All customer or subscriber account information for any accounts registered to , or 

associated with . For each such account, the information shall include: 

1. The subscriber's account and login name(s); 

2. The subscriber's address; 

3. The subscriber's telephone number or numbers; 

4. The subscriber's e-mail address; 

5. Any other information pertaining to the identity of the subscriber. 
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including, but not limited to billing information (including type and number of 
credit cards, student identification number, or other identifying information). 

B. User connection logs for: 

(1) all accounts identified in Part A, above, 

(2) the IP address [xxx.xxx.xxx.xxx], 

for the time period beginning through and including the date of this order, for any connections 

to or from . 

User connection logs should contain the following: 

1. Connection time and date; 

2. Disconnect time and date; 

3. Method of connection to system t e.g.. SLIP, PPP, Shell); 

4. Data transfer volume te.g.. bytesl: 

5. Connection information for other systems to which user connected via , including: 

a. Connection destination; 

b. Connection time and date; 

c. Disconnect time and date; 

d. Method of connection to system t e.g. . telnet, ftp, http); 

e. Data transfer volume t e.g.. bytes); 

C. [Add only if the application seeks to obtain the contents of communications (such as e-mails) 
pursuant to § 2703(b), as opposed to mere records pursuant to § 2703(c).] The contents of 
electronic communications (not in electronic storage)- that were placed or stored in directories or files 
owned or controlled by the accounts identified in Part A at any time after [date] up through and 
including the date of this Order. 



UNITED STATES DISTRICT COURT 
EOR THE DISTRICT OE 



) 

IN RE APPEICATION OE ) 

THEUNITED STATES OE AMERICA EOR ) 

AN ORDER PURSUANT TO ) 

18 U.S.C. § 2703(d) ) 



MISC. NO. 



Filed Under Seal 



ORDER 

This matter having come before the court pursuant to an application under Title 18, United 
States Code, Section 2703(b) and (c), which application requests the issuance of an order under Title 18, 
United States Code, Section 2703(d) directing [Internet Service Provider], an electronic communications 
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service provider and a remote computing service, located at [mailing address], to disclose certain 
records and other information, as set forth in Attachment 1 to the Application, the court finds that the 
applicant has offered specific and articulable facts showing that there are reasonable grounds to believe 
that the records or other information sought are relevant and material to an ongoing criminal 
investigation. 

IT APPEARING that the information sought is relevant and material to an ongoing criminal 
investigation, and that prior notice of this Order to any person of this investigation or this application 
and order by the government or [Internet Service Provider] would seriously jeopardize the investigation; 

IT IS ORDERED pursuant to Title 18, United States Code, Section 2703(d) that [Internet 
Service Provider] will, within [three] days of the date of this Order, turn over to agents of the Eederal 
Bureau of Investigation the records and other information as set forth in Attachment 1 to this Order. 

IT IS EURTHER ORDERED that the application and this Order are sealed until otherwise 
ordered by the Court, and that [Internet Service Provider] shall not disclose the existence of the 
Application or this Order of the Court, or the existence of the investigation, to the listed subscriber or to 
any other person unless and until authorized to do so by the Court. 

[Add only if the application seeks to obtain the contents of communications (such as e-mails) 
pursuant to § 2703(b), as opposed to mere records pursuant to § 2703(c).] 

IT IS EURTHER ORDERED that the notification by the government otherwise required under 
18 U.S.C. § 2703(b)(1)(B) be delayed for ninety days. [Optional Baker Act language if the ISP is a 
university: Furthermore, [Internet Service Provider] ’s compliance with the non-disclosure 
provision of this Order shall be deemed authorized under 20 U.S.C. § I232g(b)(I)(j)(ii).] 



United States Magistrate Judge 



Date 



^“Electronic Storage’’ is a term of art, specifically defined in 18 U.S.C. § 2510(17) as “(A) any temporary, intermediate 
storage of a wire or electronic communication incidental to the electronic transmission thereof; and any storage of such 
communication by an electronic communication service for purposes of backup protection of such communication.” The 
government does not seek access to any such materials. Communications not in “electronic storage” include any e-mail 
communications received by the specified accounts that the owner or user of the account has already accessed, viewed, or 
downloaded. 



^18 U.S.C. § 3127(2)(A) defines the term “court of competent jurisdiction” as including “a district court of the United States 
(including a magistrate of such a court) or a United States Court of Appeals.” Because 18 U.S.C. § 2703(d) expressly permits 
“any” such court to issue an order, this Court may enter an order directing the disclosure of such information even if the 
information is stored outside of this judicial District. 



Appendix C: Sample Language for Preservation 
Request Letters under 18 U.S.C. § 2703(f) 



[Internet Service Provider] 
[Address] 

VIA FAX to (xxx) xxx-xxxx 
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Dear Mr. [] : 

I am writing to confirm our telephone conversation earlier today and to make a formal request for 
the preservation of records and other evidence pursuant to 18 U.S.C. § 2703(f) pending further legal 
process. 

You are hereby requested to preserve, for a period of 90 days, the records described below 
currently in your possession, including records stored on backup media, in a form that includes the 
complete record. You also are requested not to disclose the existence of this request to the subscriber or 
any other person, other than as necessary to comply with this request. If compliance with this request 
may result in a permanent or temporary termination of service to the accounts descrihed helow, 
or otherwise alert the subscriber or user of these accounts as to your actions to preserve the 
referenced files and records, please contact me before taking such actions. 

This request applies only retrospectively. It does not in any way obligate you to capture and 
preserve new information that arises after the date of this request. 

This preservation request applies to the following records and evidence: 

[In a case involving an e-mail account] 



A. All stored electronic communications and other files reflecting communications to or 
from the following electronic mail address: [JDoe@isp.com] ; 

B. All records and other evidence relating to the subscriber(s), customer(s), account holder 
(s), or other entity(ies) associated with the e-mail address [JDoe@isp.com] or user name 
“Jdoe,” including, without limitation, subscriber names, user names, screen names or other 
identities, mailing addresses, residential addresses, business addresses, e-mail addresses and 
other contact information, telephone numbers or other subscriber number or identity, billing 
records, information about the length of service and the types of services the subscriber or 
customer utilized, and any other identifying information, whether such records or other 
evidence are in electronic or other form; and 

C. Any other records and other evidence relating to the e-mail address [JDoe@isp.com] or 
user name “Jdoe.” Such records and other evidence include, without limitation, 
correspondence and other records of contact by any person or entity about the above - 
referenced account, the content and connection logs associated with user activity or relating 
to communications and any other activities to, through or from [JDoe@isp.com] or user 
name “Jdoe,” whether such records or other evidence are in electronic or other form. 

[In a case involving use of a specific I.P. address] 

All electronic records and other evidence relating to the use of the IP address 222.222222.2 or 
domain name abc.wcom.net on September 5, 1999 at 4:28 and 04:32 GMT -1-02:00, and on September 7, 
1999 at 00:19 GMT -t02:00. 



]In a case involving activity of a user account] 
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All connection logs and records of user activity for the user name Jdoe or address [JDoe@isp.com] , 
including: 

1. Connection date and time; 

2. Disconnect date and time; 

3. Method of connection (e.g., telnet, ftp, http); 

4. Data transfer volume; 

5. User name associated with the connection and other connection information, including 
the Internet Protocol address of the source of the connection; 

6. Telephone caller identification records; and 

7. Connection information for other computers to which the user of the above-referenced 
accounts connected, by any means, during the connection period, including the destination 
IP address, connection time and date, disconnect time and date, method of connection to the 
destination computer, the identities (account and screen names) and subscriber information, 
if known, for any person or entity to which such connection information relates, and all 
other information related to the connection from ISP or its subsidiaries. 

All records and other evidence relating to the subscriber(s), customer(s), account 
holder(s), or other entity(ies) associated with [JDoe@isp.com], including, without limitation, subscriber 
names, user names, screen names or other identities, mailing addresses, residential addresses, business 
addresses, e-mail addresses and other contact information, telephone numbers or other subscriber 
number or identifier number, billing records, information about the length of service and the types of 
services the subscriber or customer utilized, and any other identifying information, whether such records 
or other evidence are in electronic or other form. 

Any other records and other evidence relating to [JDoe@isp.com] . Such records and other 
evidence include, without limitation, correspondence and other records of contact by any person or 
entity about the above -referenced account, the content and connection logs associated with or relating to 
postings, communications and any other activities to or through [JDoe@isp.com], whether such records 
or other evidence are in electronic or other form. 



Very truly yours. 



Assistant United States Attorney 



Appendix D: Sample Pen Register /Trap 
and Trace Application and Order 

UNITED STATES DISTRICT COURT 
EOR THE DISTRICT OE 
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IN RE APPLICATION OF THEUNITED STATES OF 
AMERICA FORAN ORDER AUTHORIZING THE 
USE 

OF A PEN REGISTER AND TRAP ANDTRACE 
DEVICE 



) 

) 

) 

NO. 

) 

) 

Under Seal 



) 



MISC. 

Filed 



APPLICATION 

[Name], an Assistant United States Attorney for the District of , hereby files 

under seal this ex parte application for an Order under Title 18, United States Code, Section 3123, 
authorizing the installation and use of a pen/trap device on a computer operated by [Internet Service 
Provider]. This computer is named [computer name], has an IP address of [IP address], and is believed 
to be located at [physical address]. In support of this application, the undersigned states the following: 

1 . Applicant is an “attorney for the government” as defined in Rule 54(c) of the Federal Rules 
of Criminal Procedure and, therefore, pursuant to Section 3122 of Title 18, United States Code, may 
apply for an order authorizing the installation and use of a pen/trap device. 

2. Applicant certifies that the Federal Bureau of Investigations is conducting a criminal 
investigation of [suspect] and others yet unknown in connection with possible violations of Title 18 
United States Code, Section [ ], to wit, [statutory description of offense]. It is believed the subject(s) of 
the investigation may be using the electronic mail address [JDoe@isp.com], in furtherance of the 
specified offense, and that the information likely to be obtained from the pen/trap device is relevant to 
the ongoing criminal investigation. [Although not required hy law, CCIPS recommends the 
inclusion within the application of specific and articulable facts that support this conclusion.] 

3. A trap and trace device, as defined in Title 18, United States Code, Section 3127, is “a device 
which captures the incoming electronic or other impulses which identify the originating number of an 
instrument or device from which a wire or electronic communication was transmitted.” A pen register 
collects destination information for electronic transmissions. In the traditional telephone context, a pen 
register and trap and trace device collects origin and destination information such as the telephone 
numbers dialed for a telephone call. The same principles apply in the context of Internet 
communications: a pen register and trap and trace device collects addressing information contained in 
“packet headers,” and, in the case of e-mails, “mail headers.” Both “packet headers” and “mail headers” 
are portions of Internet communications that contain addressing information, analogous to “to” and 
“from” addresses for traditional letters and origin and destination telephone numbers for telephone 
calls. Importantly, “packet headers” and “mail headers” (minus the subject lines of e-mails, which 
contain the e-mails’ titles and can include messages) do not contain the contents of electronic 
communications. Accordingly, this application does not seek authority to intercept the contents of any 
electronic communications. To obtain the contents of electronic communications in transmission 
(including the subject lines of e-mails), the government ordinarily must apply for and receive a Title III 
order pursuant to 18 U.S.C. §§ 2510-22. Because the “to” and “from” information contained within 
packet headers and mail headers can be obtained through the same combination of software and 
hardware, this application and order refers to means of obtaining both the origination and destination 
information as simply a “pen/trap” device. 

4. Applicant requests that the Court issue an Order authorizing the installation and use of a 
pen/trap device to capture the packet header and mail header information (but not the subject lines of e- 
mails) associated with the transmission of communications and other data (including transfers of 
information via the World Wide Web, electronic mail, telnet, and the file transfer protocol) to and from 
the account [Jdoe@isp.com]; to record the date and time of the initiation and receipt of such 
transmissions; and to record the length of time the transmissions took place, all for a period of sixty (60) 
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days following installation. 

5. The Applicant further requests that the Order direct the furnishings of information, facilities, 
and technical assistance necessary to accomplish the installation of the pen/trap device unobtrusively by 
[Internet Service Provider], with reasonable compensation to be paid by the applicant for reasonable 
expenses incurred in providing such facilities and assistance. 

WHEREFORE, it is respectfully requested that the Court grant an Order for a period of sixty 
(60) days (1) authorizing the installation and use of a pen/trap device to capture the packet header and 
mail header information (but not the subject lines of e-mails) associated with all communications and 
other data transmitted to or from the account [JDoe@isp.com] ; to record the date and time of such 
transmissions; and to record the length of time the transmission took; (2) directing [Internet Service 
Provider] to furnish the Federal Bureau of Investigations, forthwith, all information, facilities, and 
technical assistance necessary to accomplish the installation and use of the device unobtrusively and 
with a minimum of interference to the service presently accorded persons whose transmissions are the 
subject of the pen/trap device; and (3) that this Application and Order be placed under seal and further 
direct that [Internet Service Provider], and its agents and employees, not disclose to the listed subscriber, 
or to any other person, the existence of the pen/trap device or of this investigation unless or until 
otherwise ordered by the Court. 

I declare under penalty of perjury that the foregoing is true and correct. 

Executed on . 

Respectfully Submitted, 



Assistant United States Attorney 

UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF 



IN RE APPEICATION OF THEUNITED STATES 

OF AMERICA FOR 

AN ORDER AUTHORIZING THE USE 

OF A PEN REGISTER AND TRAP ANDTRACE 

DEVICE 



) 

) 

) 

NO. 

) 

) 

Under Seal 

) 



MISC. 



Filed 



ORDER 

This matter having come before the Court pursuant to an Application under Title 18, United 

States Code, Section 3122, by [Name], Assistant United States Attorney, District of , 

which Application requests an Order under Title 18, United States Code, Section 3123, authorizing the 
installation and use of a pen/trap device on the account [JDoe@isp.com] , the Court finds that the 
applicant has certified that the information likely to be obtained by such installation and use is relevant 
to an ongoing criminal investigation into possible violations of Title 18, United States Code, Section 
, to wit, [statutory description of offense] by [suspect], and others yet unknown. 

IT APPEARING that the packet header and mail header information associated with 
communications and other data transmitted to and from the account [JDoe@isp.com] are relevant to an 
ongoing criminal investigation of the specified offense; 

IT IS ORDERED, pursuant to Title 18, United States Code, Section 3123, that agents of the 
Federal Bureau of Investigations may install and use a pen/trap device to capture the packet header and 
mail header information (but not the subject lines of e-mails) for all communications and other data 
transmitted to and from the account [Jdoe@isp.com]; to record the date and time of such transmissions; 
and to record the length of time the transmissions took, for a period of sixty (60) days from the date of 
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this Order; 

IT IS FURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(b)(2), that 
[Internet Service Provider] shall furnish agents of the Eederal Bureau of Investigations, forthwith, all 
information, facilities, and technical assistance necessary to accomplish the installation and use of the 
pen/trap device unobtrusively and with minimum interference to the services that are accorded persons 
with respect to whom the installation and use is to take place; 

IT IS EURTHER ORDERED, pursuant to Title 18, United States Code, Section 3123(d), that 
this Order and the Application be sealed until otherwise ordered by the Court, and that copies of such 
order may be furnished to the Eederal Bureau of Investigations, United States Attorney's Office, and 
[Internet Service Provider], and further that [Internet Service Provider] shall not disclose the existence 
of the pen/trap device or the existence of the investigation to the listed subscriber or to any other person 
unless or until otherwise ordered by the Court. 



United States Magistrate Judge 



Date 



Appendix E: Sample Subpoena Language 

The following is sample language for obtaining basic subscriber information with a subpoena pursuant 
to 18 U.S.C. § 2703(c)(1)(C): 



All customer or subscriber account information for any accounts registered to 

, or associated with . For each such account, the information 

shall include: 

1. The subscriber’s name; 

2. The subscriber ’s address; 

3. The subscriber ’s local and long distance telephone toll billing records 

4. The subscriber’s telephone number or numbers, the e-mail address or addresses, 
account or login name or names, or any other information pertaining to the identity of the 
subscriber, including, type and number of credit cards, student identification number, or 
other identifying information; and 

5. The types of services subscribed to or utilized by the subscriber and the lengths of such 
services. 



The following is sample language for obtaining the content of communications when permitted by 
ECPA pursuant to 18 U.S.C. § 2703(a) and (b): 



A. The contents of electronic communications notin “electronic storage’’ (i.e., electronic 
mail that has already been opened by the user) currently held or maintained in the account 

associated with the address “ @ ” (registered to ) sent from 

or to the above account during the period through (inclusive). 

B. The content of all electronic communications in “electronic storage ’’for more than 180 
days associated with the accounts identified in Part A, that were placed or stored in 

computer systems in directories or files owned or controlled by such accounts 

at any time up through and including the date of this subpoena. 
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[ISP] should NOT produce any unopened incoming electronic communications (i.e., 
electronic communications in “electronic storage ”) less than 181 days old. 

For purposes of this request, “electronic storage ” is defined in 18 U.S.C. § 2510(17) as 
“(A) any temporary, intermediate storage of a wire or electronic communication incidental 
to the electronic transmission thereof; and any storage of such communication by an 
electronic communication service for purposes of backup protection of such 
communication. ” The government does not seek access to any such materials, unless it has 
been in storage for more than 180 days. 



Appendix F: Sample Language for Search Warrants 
and Accompanying Affidavits to Search and Seize Computers 

This appendix provides sample language for agents and prosecutors who wish to obtain a warrant 
authorizing the search and seizure of computers. The discussion focuses first on the proper way to 
describe the property to be seized in the warrant itself, which in turn requires consideration of the role of 
the computer in the offense. The discussion then turns to drafting an accompanying affidavit that 
establishes probable cause, describes the agent’s search strategy, and addresses any additional statutory 
or constitutional concerns. 

T. DESCRTBTNG THE PROPERTY TO BE SET/ED FOR THE WARRANT 



The first step in drafting a warrant to search and seize computers or computer data is to describe 
the property to be seized for the warrant itself. This requires a particularized description of the 
evidence, contraband, fruits, or instrumentality of crime that the agents hope to obtain by conducting the 
search. 

Whether the ‘property to be seized’ should contain a description of information (such as computer 
files) or physical computer hardware depends on the role of the computer in the offense. In some cases, 
the computer hardware is itself contraband, evidence of crime, or a fruit or instrumentality of crime. In 
these situations. Fed. R. Crim. P. 41 expressly authorizes the seizure of the hardware, and the warrant 
will ordinarily request its seizure. In other cases, however, the computer hardware is merely a storage 
device for electronic files that are themselves contraband, evidence, or instrumentalities of crime. In 
these cases, the warrant should request authority to search for and seize the information itself, not the 
storage devices that the agents believe they must seize to recover the information. Although the agents 
may need to seize the storage devices for practical reasons, such practical considerations are best 
addressed in the accompanying affidavit. The ‘property to be seized’ described in the warrant should 
fall within one or more of the categories listed in Rule 41(b): 

(1) “property that constitutes evidence of the commission of a criminal offense” 

This authorization is a broad one, covering any item that an investigator “reasonably could . . . 
believe” would reveal information that would aid in a particular apprehension or conviction. Andresen 
V. Maryland . 427 U.S. 463, 483 (1976). Cf. Warden v. Hayden. 387 U.S. 294, 307 (1967) (noting that 
restrictions on what evidence may be seized result mostly from the probable cause requirement). The 
word “property” in Rule 41(b)(1) includes both tangible and intangible property. See United States v. 
New York Tel. Co. . 434 U.S. 159, 169 (1977) (“Rule 41 is not limited to tangible items but is 
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sufficiently flexible to include within its scope electronic intrusions authorized upon a finding of 
probable cause.”); United States v. Biasucci. 786 F.2d 504, 509- 10 (2d Cir. 1986) (holding that the fruits 
of video surveillance are “property” that may be seized using a Rule 41 search warrant). Accordingly, 
data stored in electronic form is “property” that may properly be searched and seized using a Rule 41 
warrant. See United States v. Hall. 583 F. Supp. 717, 718-19 (E.D. Va. 1984). 

(2) “contraband, the fruits of crime, or things otherwise criminally possessed” 

Property is contraband “when a valid exercise of the police power renders possession of the 
property by the accused unlawful and provides that it may be taken.” Hayden. 387 U.S. at 302 (quoting 
Gouled V. United States . 255 U.S. 298, 309 (1921)). Common examples of items that fall within this 
definition include child pornography, see United States v. Kimbrough. 69 F.3d 723, 731 (5th Cir. 1995), 
pirated software and other copyrighted materials, see United States v. Vastola. 670 F. Supp. 1244, 1273 
(D.N.J. 1987), counterfeit money, narcotics, and illegal weapons. The phrase “fruits of crime” refers to 
property that criminals have acquired as a result of their criminal activities. Common examples include 
money obtained from illegal transactions, see United States v. Domblut. 261 F.2d 949, 951 (2d Cir. 
1958) (cash obtained in drug transaction), and stolen goods. See United States v. Burkeen. 350 F.2d 
261, 264 (6th Cir. 1965) (currency removed from bank during bank robbery). 

(3) “property designed or intended for use or which is or had been used as a means of committing a 
criminal offense” 

Rule 41(b)(3) authorizes the search and seizure of “property designed or intended for use or which 
is or had been used as a means of committing a criminal offense.” This language permits courts to issue 
warrants to search and seize instrumentalities of crime. See United States v. Farrell . 606 F.2d 1341, 

1347 (D.C. Cir. 1979). Computers may serve as instrumentalities of crime in many ways. For 
Rule 41 authorizes the seizure of computer equipment as an instrumentality when a suspect uses a 
computer to view, acquire, and transmit images of child pornography. See Davis v. Gracey. Ill F.3d 
1472, 1480 (10th Cir. 1997) (stating in an obscenity case that “the computer equipment was more than 
merely a ‘container’ for the files; it was an instrumentality of the crime.”); United States v. Lamb. 945 
F. Supp. 441, 462 (N.D.N.Y. 1996). Similarly, a hacker's computer may be used as an instrumentality 
of crime, and a computer used to run an illegal Internet gambling business would also be an 
instrumentality of the crime. 

Here are examples of how to describe property to be seized when the computer hardware is merely 
a storage container for electronic evidence: 



(A) All records relating to violations of 21 U.S.C. § 841(a) (drug trafficking) and/or 21 
U.S.C. § 846 (conspiracy to traffic drugs) involving [the suspect] since January 1, 1996, 
including lists of customers and related identifying information; types, amounts, and prices 
of drugs trafficked as well as dates, places, and amounts of specific transactions; any 
information related to sources of narcotic drugs (including names, addresses, phone 
numbers, or any other identifying information); any information recording [the suspect's] 
schedule or travel from 1995 to the present; all bank records, checks, credit card bills, 
account information, and other financial records. 

The terms “records ” and “information ” include all of the foregoing items of evidence 
in whatever form and by whatever means they may have been created or stored, including 
any electrical, electronic, or magnetic form (such as any information on an electronic or 
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magnetic storage device, including floppy diskettes, hard disks, ZIP disks, CD-ROMs, 
optical discs, backup tapes, printer buffers, smart cards, memory calculators, pagers, 
personal digital assistants such as Palm Pilot computers, as well as printouts or readouts 
from any magnetic storage device); any handmade form (such as writing, drawing, 
painting); any mechanical form (such as printing or typing); and any photographic form 
(such as microfilm, microfiche, prints, slides, negatives, videotapes, motion pictures, 
photocopies). 

(B) Any copy of the X Company ’s confidential May 17, 1998 report, in electronic or other 
form, including any recognizable portion or summary of the contents of that report. 

(C) [For a warrant to obtain records stored with an ISP pursuant to 18 U.S.C. Section 
2703(a)] All stored electronic mail of any kind sent to, from and through the e-mail address 
[JDoe@isp.com], or associated with the user name “John Doe, ” or account holder 
[suspect]. Content and connection log files of all account activity from January 1, 2000, 
through March 31, 2000, by the user associated with the e-mail address [JDoe@isp.com], 
including dates, times, methods of connecting (e.g., telnet, ftp, http), ports used, telephone 
dial-up caller identification records, and any other connection information or traffic data. 
All business records, in any form kept, in the possession of [Internet Service Provider], that 
pertain to the subscriber(s) and accounts ) associated with the e-mail address 
[JDoe@isp.com], including records showing the subscriber’s full name, all screen names 
associated with that subscriber and account, all account names associated with that 
subscriber, methods of payment, phone numbers, all residential, business, mailing, and e- 
mail addresses, detailed billing records, types and lengths of service, and any other 
identifying information. 



Here are examples of how to describe the property to be seized when the computer hardware itself 
is evidence, contraband, or an instrumentality of crime: 



(A) Any computers (including file servers, desktop computers, laptop computers, mainframe 
computers, and storage devices such as hard drives. Zip disks, and floppy disks) that were 
or may have been used as a means to provide images of child pornography over the Internet 
in violation of 18 U.S.C. § 2252 A that were accessible via the World Wide Website address 
WWW. [ xxxxxxxx ]. com. 

(B) IBM Thinkpad Model 760ED laptop computer with a black case 

TT. DRAFTTNG AFFTDAVTTS TN SUPPORT OF WARRANTS TO SEARCH AND SET/E 
COMPUTERS 



An affidavit to justify the search and seizure of computer hardware and/or files should include, at a 
minimum, the following sections: (1) definitions of any technical terms used in the affidavit or warrant; 

(2) a summary of the offense, and, if known, the role that a targeted computer plays in the offense; and 

(3) an explanation of the agents’ search strategy. In addition, warrants that raise special issues (such as 
sneak- and-peek warrants, or warrants that may implicate the Privacy Protection Act, 42 U.S.C. § 

2000aa) require thorough discussion of those issues in the affidavit. Agents and prosecutors with 
questions about how to tailor an affidavit and warrant for a computer -related search may contact either 
the local CTC, or the Computer Crime & Intellectual Property Section at (202) 514-1026. 
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A. Background Technical Information 

It may be helpful to include a section near the beginning of the affidavit explaining any technical 
terms that the affiant may use. Although many judges are computer literate, judges generally appreciate 
a clear, jargon-free explanation of technical terms that may help them understand the merits of the 
warrant application. At the same time, agents and prosecutors should resist the urge to pad affidavits 
with long, boilerplate descriptions of well-known technical phrases. As a rule, affidavits should only 
include the definitions of terms that are likely to be unknown by a generalist judge and are used in the 
remainder of the affidavit. Here are several sample definitions: 



Encryption 

Encryption refers to the practice of mathematically scrambling computer data as a 
communications security measure. The encrypted information is called “ciphertext. ” 
“Decryption ” is the process of converting the ciphertext back into the original, readable 
information (known as “plaintext” ). The word, number or other value used to 
encrypt/decrypt a message is called the “key. ” 

Data Compression 

A process of reducing the number of bits required to represent some information, usually to 
reduce the time or cost of storing or transmitting it. Some methods can be reversed to 
reconstruct the original data exactly; these are used for faxes, programs and most computer 
data. Other methods do not exactly reproduce the original data, but this may be acceptable 
(for example, for a video conference). 

Joint Photographic Experts Group (JPEG) 

JPEG is the name of a standard for compressing digitized images that can be stored on 
computers. JPEG is often used to compress photographic images, including pornography. 
Such files are often identified by the “.jpg ” extension (such that a JPEG file might have the 
title “picture.jpg ”) but can easily be renamed without the “.jpg ” extension. 

Internet Service Providers (“ISPs”) 

Many individuals and businesses obtain their access to the Internet through businesses 
known as Internet Service Providers ( “ISPs ”). ISPs provide their customers with access to 
the Internet using telephone or other telecommunications lines; provide Internet e-mail 
accounts that allow users to communicate with other Internet users by sending and 
receiving electronic messages through the ISPs ’ servers; remotely store electronic files on 
their customers ’ behalf; and may provide other services unique to each particular ISP. 

ISPs maintain records pertaining to the individuals or companies that have subscriber 
accounts with it. Those records could include identifying and billing information, account 
access information in the form of log files, e-mail transaction information, posting 
information, account application information, and other information both in computer data 
format and in written record format. 

ISPs reserve and/or maintain computer disk storage space on their computer system for the 
use of the Internet service subscriber for both temporary and long-term storage of 
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electronic communications with other parties and other types of electronic data and files. 
E-mail that has not been opened is stored temporarily by an ISP incident to the 
transmission of the e-mail to the intended recipient, usually within an area known as the 
home directory. Such temporary, incidental storage is defined by statute as “electronic 
storage, ” and the provider of such a service is an “electronic communications service ” 
provider. A service provider that is available to the public and provides storage facilities 
after an electronic communication has been transmitted and opened by the recipient, or 
provides other long term storage services to the public for electronic data and files, is 
providing a “remote computing service. ” 

Server 

A server is a centralized computer that provides services for other computers connected to 
it via a network. The other computers attached to a server are sometimes called “clients. ” 
In a large company, it is common for individual employees to have client computers at their 
desktops. When the employees access their e-mail, or access files stored on the network 
itself, those files are pulled electronically from the server, where they are stored, and are 
sent to the client ’s computer via the network. Notably, server computers can be physically 
stored in any location: it is common for a network’s server to be located hundreds (and 
even thousands) of miles away from the client computers. 

In larger networks, it is common for servers to be dedicated to a single task. For example, 
a server that is configured so that its sole task is to support a World Wide Web site is known 
simply as a “web server. ” Similarly, a server that only stores and processes e-mail is 
known as a “mail server. ” 

IP Address 

The Internet Protocol address (or simply “IP” address) is a unique numeric address used 
by computers on the Internet. An IP address looks like a series of four numbers, each in the 
range 0-255, separated by periods (e.g.. III. 56.97. 178). Every computer attached to the 
Internet computer must be assigned an IP address so that Internet traffic sent from and 
directed to that computer may be directed properly from its source to its destination. Most 
Internet service providers control a range of IP addresses. 

dynamic IP address When an ISP or other provider uses dynamic IP 
addresses, the ISP randomly assigns one of the available IP addresses in the 
range of IP addresses controlled by the ISP each time a user dials into the ISP 
to connect to the Internet. The customer's computer retains that IP address for 
the duration of that session (i.e., until the user disconnects), and the IP address 
cannot be assigned to another user during that period. Once the user 
disconnects, however, that IP address becomes available to other customers 
who dial in at a later time. Thus, an individual customer's IP address normally 
differs each time he dials into the ISP. 

static IP address A static IP address is an IP address that is assigned 
permanently to a given user or computer on a network. A customer of an ISP 
that assigns static IP addresses will have the same IP address every time. 

B. Describe the Role of the Computer in the Offense 
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The next step is to describe the role of the computer in the offense, to the extent it is known. For 
example, is the computer hardware itself evidence of a crime or contraband? Is the computer hardware 
merely a storage device that may or may not contain electronic files that constitute evidence of a crime? 
To introduce this topic, it may be helpful to explain at the outset why the role of the computer is 
important for defining the scope of your warrant request. 



Your affiant knows that computer hardware, software, and electronic files may be important 
to a criminal investigation in two distinct ways: (1) the objects themselves may be 
contraband, evidence, instrumentalities, or fruits of crime, and/or (2) the objects may be 
used as storage devices that contain contraband, evidence, instrumentalities, or fruits of 
crime in the form of electronic data. Rule 41 of the Federal Rules of Criminal Procedure 
permits the government to search for and seize computer hardware, software, and 
electronic files that are evidence of crime, contraband, instrumentalities of crime, and/or 
fruits of crime. In this case, the warrant application requests permission to search and 
seize [images of child pornography, including those that may be stored on a computer]. 
These [images] constitute both evidence of crime and contraband. This affidavit also 
requests permission to seize the computer hardware that may contain [the images of child 
pornography] if it becomes necessary for reasons of practicality to remove the hardware 
and conduct a search off- site. Your affiant believes that, in this case, the computer 
hardware is a container for evidence, a container for contraband, and also itself an 
instrumentality of the crime under investigation. 

1 . When the Computer Hardware Is Itself Contraband. Evidence. And/or an Instrumentality 
or Fruit of Crime 



If applicable, the affidavit should explain why probable cause exists to believe that the tangible 
computer items are themselves contraband, evidence, instrumentalities, or fruits of the crime, 
independent of the information they may hold. 



Computer Used to Obtain Unauthorized Access to a Computer (“Hacking”) 

Your affiant knows that when an individual uses a computer to obtain unauthorized access 
to a victim computer over the Internet, the individual's computer will generally serve both 
as an instrumentality for committing the crime, and also as a storage device for evidence of 
the crime. The computer is an instrumentality of the crime because it is "used as a means 
of committing [the] criminal offense" according to Rule 41(b )(3). In particular, the 
individual's computer is the primary means for accessing the Internet, communicating with 
the victim computer, and ultimately obtaining the unauthorized access that is prohibited by 
18 U.S.C. § 1030. The computer is also likely to be a storage device for evidence of crime 
because computer hackers generally maintain records and evidence relating to their crimes 
on their computers. Those records and evidence may include files that recorded the 
unauthorized access, stolen passwords and other information downloaded from the victim 
computer, the individual's notes as to how the access was achieved, records of Internet chat 
discussions about the crime, and other records that indicate the scope of the individual's 
unauthorized access. 

Computers Used to Produce Child Pornography 
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It is common for child pornographers to use personal computers to produce both still and 
moving images. For example, a computer can be connected to a common video camera 
using a device called a video capture board: the device turns the video output into a form 
that is usable by computer programs. Alternatively, the pornographer can use a digital 
camera to take photographs or videos and load them directly onto the computer. The 
output of the camera can be stored, transferred or printed out directly from the computer. 
The producers of child pornography can also use a device known as a scanner to transfer 
photographs into a computer-readable format. All of these devices, as well as the 
computer, constitute instrumentalities of the crime. 



2. When the Computer Is Merely a Storage Device for Contraband. Evidence. 
And/or an Instrumentality or Fruit of Crime 



When the computer is merely a storage device for electronic evidence, the affidavit should explain 
this clearly. The affidavit should explain why there is probable cause to believe that evidence of a crime 
may be found in the location to be searched. This does not require the affidavit to establish probable 
cause that the evidence may be stored specifically within a computer. However, the affidavit should 
explain why the agents believe that the information may in fact be stored as an electronic file stored in a 
computer. 



Child Pornography 

Your affiant knows that child pornographers generally prefer to store images of child 
pornography in electronic form as computer files. The computer’s ability to store images in 
digital form makes a computer an ideal repository for pornography. A small portable disk 
can contain hundreds or thousands of images of child pornography, and a computer hard 
drive can contain tens of thousands of such images at very high resolution. The images can 
be easily sent to or received from other computer users over the Internet. Further, both 
individual files of child pornography and the disks that contain the files can be mislabeled 
or hidden to evade detection. 

Illegal Business Operations 

Based on actual inspection of [spreadsheets, financial records, invoices], your affiant is 
aware that computer equipment was used to generate, store, and print documents used in 
[suspect’s] [tax evasion, money laundering, drug trafficking, etc.] scheme. There is reason 
to believe that the computer system currently located on [suspect’s] premises is the same 
system used to produce and store the [ spreadsheets, financial records, invoices [, and that 
both the [spreadsheets, financial records, invoices] and other records relating to 
[suspect's] criminal enterprise will be stored on [suspect's computer]. 

C. The Search Strategy 

The affidavit should also contain a careful explanation of the agents’ search strategy, as well as a 
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discussion of any practical or legal concerns that govern how the search will be executed. Such an 
explanation is particularly important when practical considerations may require that agents seize 
computer hardware and search it off- site when that hardware is only a storage device for evidence of 
crime. Similarly, searches for computer evidence in sensitive environments (such as functioning 
businesses) may require that the agents adopt an incremental approach designed to minimize the 
intrusiveness of the search. The affidavit should explain the agents’ approach in sufficient detail that the 
explanation provides a useful guide for the search team and any reviewing court. It is a good practice to 
include a copy of the search strategy as an attachment to the warrant, especially when the affidavit is 
placed under seal. Here is sample language that can apply recurring situations: 



1 . Sample Language to .justify Seizing Hardware and Conducting a Subsequent 
Off- site Search 



Based upon your affiant ’s knowledge, training and experience, your affiant knows that 
searching and seizing information from computers often requires agents to seize most or all 
electronic storage devices (along with related peripherals) to be searched later by a 
qualified computer expert in a laboratory or other controlled environment. This is true 
because of the following: 

(1) The volume of evidence. Computer storage devices (like hard disks, 
diskettes, tapes, laser disks) can store the equivalent of millions of information. 
Additionally, a suspect may try to conceal criminal evidence; he or she might 
store it in random order with deceptive file names. This may require searching 
authorities to examine all the stored data to determine which particular files 
are evidence or instrumentalities of crime. This sorting process can take weeks 
or months, depending on the volume of data stored, and it would be impractical 
and invasive to attempt this kind of data search on-site. 

(2) Technical Requirements. Searching computer systems for criminal 
evidence is a highly technical process requiring expert skill and a properly 
controlled environment. The vast array of computer hardware and software 
available requires even computer experts to specialize in some systems and 
applications, so it is difficult to know before a search which expert is qualified 
to analyze the system and its data. In any event, however, data search 
protocols are exacting scientific procedures designed to protect the integrity of 
the evidence and to recover even “hidden, ” erased, compressed, password- 
protected, or encrypted files. Because computer evidence is vulnerable to 
inadvertent or intentional modification or destruction (both from external 
sources or from destructive code imbedded in the system as a “booby trap ”), a 
controlled environment may be necessary to complete an accurate analysis. 

Further, such searches often require the seizure of most or all of a computer 
system ’s input/output peripheral devices, related software, documentation, and 
data security devices (including passwords) so that a qualified computer expert 
can accurately retrieve the system ’s data in a laboratory or other controlled 
environment. 

In light of these concerns, your affiant hereby requests the Court’s permission to seize the 
computer hardware (and associated peripherals) that are believed to contain some or all of 
the evidence described in the warrant, and to conduct an off- site search of the hardware for 
the evidence described, if, upon arriving at the scene, the agents executing the search 
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conclude that it would be impractical to search the computer hardware on-site for this 
evidence. 



2. Sample Language to Justify an Incremental Search 

Your affiant recognizes that the [Suspect] Corporation is a functioning company with 
approximately [number] employees, and that a seizure of the [Suspect] Corporation's 
computer network may have the unintended and undesired effect of limiting the company's 
ability to provide service to its legitimate customers who are not engaged in [ the criminal 
activity under investigation [. In response to these concerns, the agents who execute the 

search will take an incremental approach to minimize the inconvenience to [Suspect 
Corporation] 's legitimate customers and to minimize the need to seize equipment and data. 
This incremental approach, which will be explained to all of the agents on the search team 
before the search is executed, will proceed as follows: 

A. Upon arriving at the [Suspect Corporation's] headquarters on the morning 
of the search, the agents will attempt to identify a system administrator of the 
network (or other knowledgeable employee) who will be willing to assist law 
enforcement by identifying, copying, and printing out paper [and electronic] 
copies of] the computer files described in the warrant.] If the agents succeed 
at locating such an employee and are able to obtain copies of the [the 
computer files described in the warrant] in that way, the agents will not 
conduct any additional search or seizure of the [Suspect Corporation's] 
computers. 

B. If the employees choose not to assist the agents and the agents cannot 
execute the warrant successfully without themselves examining the [Suspect 
Corporation's] computers , primary responsibility for the search will transfer 
from the case agent to a designated computer expert. The computer expert will 
attempt to locate [the computer files described in the warrant], and will 
attempt to make electronic copies of those files. This analysis will focus on 
particular programs, directories, and files that are most likely to contain the 
evidence and information of the violations under investigation. The computer 
expert will make every effort to review and copy only those programs, 
directories, files, and materials that are evidence of the offenses described 
herein, and provide only those items to the case agent. If the computer expert 
succeeds at locating [the computer files described in the warrant] in that way, 
the agents will not conduct any additional search or seizure of the [Suspect 
Corporation's] computers. 

C. If the computer expert is not able to locate the files on-site, or an on-site 
search proves infeasible for technical reasons, the computer expert will 
attempt to create an electronic “image” of those parts of the computer that are 
likely to store [the computer files described in the warrant]. Generally 
speaking, imaging is the taking of a complete electronic picture of the 
computer’s data, including all hidden sectors and deleted files. Imaging a 
computer permits the agents to obtain an exact copy of the computer's stored 
data without actually seizing the computer hardware. The computer expert or 
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another technical expert will then conduct an ojf-site search for [the computer 
files described in the warrant] from the "mirror image” copy at a later date. If 
the computer expert successfully images the [Suspect Corporation's] 
computers, the agents will not conduct any additional search or seizure of the 
[Suspect Corporation's] computers. 

D. If “imaging ” proves impractical, or even impossible for technical reasons, 
then the agents will seize those components of the [Suspect Corporation's] 
computer system that the computer expert believes must be seized to permit the 
agents to locate [the computer files described in the warrant] at an off-site 
location. The components will be seized and taken in to the custody of the 
FBI. If employees of [Suspect Corporation] so request, the computer expert 
will, to the extent practicable, attempt to provide the employees with copies of 
any files [not within the scope of the warrant] that may be necessary or 
important to the continuing function of the [Suspect Corporation’ s[ legitimate 
business. If, after inspecting the computers, the analyst determines that some 
or all of this equipment is no longer necessary to retrieve and preserve the 
evidence, the government will return it within a reasonable time. 



3. Sample Language to Justify the Use of Comprehensive Data Analysis Techniques 

Searching [the suspect’s] computer system for the evidence described in [Attachment A] 
may require a range of data analysis techniques. In some cases, it is possible for agents to 
conduct carefully targeted searches that can locate evidence without requiring a time- 
consuming manual search through unrelated materials that may be commingled with 
criminal evidence. For example, agents may be able to execute a “keyword” search that 
searches through the files stored in a computer for special words that are likely to appear 
only in the materials covered by a warrant. Similarly, agents may be able to locate the 
materials covered in the warrant by looking for particular directory or file names. In other 
cases, however, such techniques may not yield the evidence described in the warrant. 

Criminals can mislabel or hide files and directories; encode communications to avoid using 
key words; attempt to delete files to evade detection; or take other steps designed to 
frustrate law enforcement searches for information. These steps may require agents to 
conduct more extensive searches, such as scanning areas of the disk not allocated to listed 
files, or opening every file and scanning its contents briefly to determine whether it falls 
within the scope of the warrant. In light of these difficulties, your affiant requests 
permission to use whatever data analysis techniques appear necessary to locate and 
retrieve the evidence described in [Attachment A] . 

D. Special Considerations 

The affidavit should also contain discussions of any special legal considerations that may factor 
into the search or how it will be conducted. These considerations are discussed at length in Chapter 2. 
Agents can use this checklist to determine whether a particular computer -related search raises such 
issues: 
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1 . Is the search likely to result in the seizure of any drafts of publications (such as 
hooks, newsletters, Weh site postings, etc.) that are unrelated to the search and are 
stored on the target computer? If so, the search may implicate the Privacy Protection 
Act, 42 U.S.C. § 2000aa. 

2. Is the target of the search an ISP, or will the search result in the seizure of a mail 
server? If so, the search may implicate the Electronic Communications Privacy Act, 18 
U.S.C. §§ 2701-11. 

3. Does the target store electronic files or e-mail on a server maintained in a remote 
location? If so, the agents may need to obtain more than one warrant. 

4. Will the search result in the seizure of privileged files, such as attorney- client 
communications? If so, special precautions may be in order. 

5. Are the agents requesting authority to execute a sneak -and -peek search? 

6. Are the agents requesting authority to dispense with the “knock and announce” 
rule? 



Appendix G: Sample Letter for Provider Monitoring 

This letter is intended to inform [law enforcement agency] of [Provider’s] decision to conduct 
monitoring of unauthorized activity within its computer network pursuant to 18 U.S.C. § 251 l(2)(a)(i), 
and to disclose some or all of the fruits of this monitoring to law enforcement if [Provider] deems it will 
assist in protecting its rights or property. On or about [date], [Provider] became aware that it was the 
victim of unauthorized intrusions into its computer network. [Provider] understands that 18 U.S.C. § 
2511(2)(a)(i) authorizes 



an officer, employee, or agent of a provider of wire or electronic communication service, 
whose facilities are used in the transmission of a wire or electronic communication, to 
intercept, disclose, or use that communication in the normal course of his employment 
while engaged in any activity which is a necessary incident to the rendition of his service or 
to the protection of the rights or property of the provider of that service[.] 



This statutory authority permits [Provider] to engage in reasonable monitoring of unauthorized 
of its network to protect its rights or property, and also to disclose intercepted communications to [law 
enforcement] to further the protection of [Provider] ’s rights or property. 

To protect its rights and property, [Provider] plans to [continue to] conduct reasonable monitoring 
of the unauthorized use in an effort to evaluate the scope of the unauthorized activity and attempt to 
discover the identity of the person or persons responsible. [Provider] may then wish to disclose some or 
all of the fruits of its interception to law enforcement to help support a criminal investigation concerning 
the unauthorized use and criminal prosecution for the unauthorized activity of the person(s) responsible. 

[Provider] understands that it is under absolutely no obligation to conduct any monitoring 
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whatsoever, or to disclose the fruits of any monitoring, and that 18 U.S.C. § 2511(2)(a)(i) does not 
permit [law enforcement] to direct or request [Provider] to intercept, disclose, or use monitored 
communications for law enforcement purposes. Accordingly, [law enforcement] will under no 
circumstances initiate, encourage, order, request, or solicit [Provider] to conduct nonconsensual 
monitoring without first obtaining an appropriate court order, and [Provider] will not engage in 
monitoring solely or primarily to assist law enforcement absent an appropriate court order. Any 
monitoring and/or disclosure will be at [Provider’s] initiative. [Provider] also recognizes that the 
interception of wire and electronic communications beyond the permissible scope of 18 U.S.C. § 2511 
(2)(a)(i) potentially may subject it to civil and criminal penalties. 

Sincerely, 

[Provider] General Counsel 
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(3)(d)(5) 


Generally 


(2)(a) 
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Sneak and Peek Warrants 


(l)(d)(l) 

(l)(d)(2) 


Workplace Searches 




Generally 
Private Sector 
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Footnotes: 



iTechnically, the Electronic Communications Privacy Act of 1986 amended Chapter 1 19 of Title 18 of the U.S. Code, 
codified at 18 U.S.C. §§ 2510-22, and created Chapter 121 of Title 18, codified at 18 U.S.C. §§ 2701-11. As a result, some 
courts and commentators use the term "ECPA” to refer collectively to both §§ 2510-22 and §§ 2701-11. This manual adopts a 
simpler convention for the sake of clarity: §§ 2510-22 will be referred to by its original name, 'Title III," (as Title III of the 
Omnibus Crime Control and Safe Streets Act, passed in 1968), and §§ 2701-11 as "ECPA." 



^After viewing evidence of a crime stored on a computer, agents may need to seize the computer temporarily to ensure the 
integrity and availability of the evidence before they can obtain a warrant to search the contents of the computer. See, e.g. . 
Hall . 142 E.3d at 994-95; United States v. Grosenheider . 200 E.3d 321, 330 n.lO (5th Cir. 2000). The Eourth Amendment 
permits agents to seize a computer temporarily so long as they have probable cause to believe that it contains evidence of a 
crime, the agents seek a warrant expeditiously, and the duration of the warrantless seizure is not “unreasonable” given the 
totality of the circumstances. See UnitedStates v. Place , 462 U.S. 696, 700 (1983); United States v. Martin , 157 E.3d 46, 54 
(2d Cir. 1998); United States v. Licata . 761 E.2d 537, 540-42 (9th Cir. 1985). 
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^Consent by employers and co-employees is discussed separately in the workplace search section of this chapter. See Part D. 



course, agents executing a search pursuant to a valid warrant need not rely on the plain view doctrine to justify the 
search. The warrant itself justifies the search. See generally Chapter 2, Part D, “Searching Computers Already in Law 
Enforcement Custody.” 



^Creating a mirror-image copy of an entire drive (often known simply as “imaging”) is different from making an electronic 
copy of individual files. When a computer file is saved to a storage disk, it is saved in randomly scattered sectors on the disk 
rather than in contiguous, consolidated blocks; when the file is retrieved, the scattered pieces are reassembled from the disk 
the computer’s memory and presented as a single file. Imaging the disk copies the entire disk exactly as it is, including all 
the scattered pieces of various files. The image allows a computer technician to recreate (or “mount”) the entire storage disk 
and have an exact copy just like the original. In contrast, an electronic copy (also known as a “logical file copy”) merely 
creates a copy of an individual file by reassembling and then copying the scattered sectors of data associated with the 
particular file. 



^Such distinctions may also be important from the perspective of asset forfeiture. Property used to commit or promote an 
offense involving obscene material may be forfeited criminally pursuant to 18 U.S.C. § 1467. Property used to commit or 
promote an offense involving child pornography may be forfeited criminally pursuant to 18 U.S.C. § 2253 and civilly 
pursuant to 18 U.S.C. § 2254. Agents and prosecutors can contact the Asset Forfeiture and Money Laundering Section at 
(202) 514-1263 for additional assistance. 



^The Steve Jackson Games litigation raised many important issues involving the PPA and ECPA before the district court. On 
appeal, however, the only issue raised was “a very narrow one: whether the seizure of a computer on which is stored private 
E-mail that has been sent to an electronic bulletin board, but not yet read (retrieved) by the recipients, constitutes an 
‘intercept’ proscribed by 18 U.S.C. § 2511(l)(a).” Steve Jackson Games . 36 F.3d at 460. This issue is discussed in the 
electronic surveillance chapter. See Chapter 4, infra . 



^This raises a fundamental distinction overlooked in Steve Jackson Games : the difference between a Rule 41 search warrant 
that authorizes law enforcement to execute a search, and an ECPA search warrant that compels a provider of electronic 
communication service or remote computing service to disclose the contents of a subscriber’s network account to law 
enforcement. Although both are called “search warrants,” they are very different in practice. ECPA search warrants required 
by 18 U.S.C. § 2703(a) are court orders that are served much like subpoenas: ordinarily, the investigators bring the warrant to 
the provider, and the provider then divulges the information described in the warrant to the investigators within a certain 
period of time. In contrast. Rule 41 search warrants typically authorize agents to enter onto private property, search for and 
then seize the evidence described in the warrant. Compare Chapter 2 (discussing search and seizure with a Rule 41 warrant) 
with Chapter 3 (discussing electronic evidence that can be obtained under ECPA). This distinction is especially important 
when a court concludes that ECPA was violated and then must determine the remedy. Because the warrant requirement of 18 
U.S.C. § 2703(a) is only a statutory standard, a non -constitutional violation of § 2703(a) should not result in suppression of 
the evidence obtained. See Chapter 3, Part H (discussing remedies for violations of ECPA). 



^Focusing on the computers rather than the information may also lead to a warrant that is too narrow. If relevant information 
is in paper or photographic form, agents may miss it altogether. 

lOAn unusual number of computer search and seizure decisions involve child pornography. This is true for two reasons. 
First, computer networks provide an easy means of possessing and transmitting contraband images of child pornography. 
Second, the fact that possession of child pornography transmitted over state lines is a felony often leaves defendants with 
little recourse but to challenge the procedure by which law enforcement obtained the contraband images. Investigators and 
prosecutors should contact the Child Exploitation and Obscenity Section at (202) 514-5780 or an Assistant U.S. Attorney 
designated as a Child Exploitation and Obscenity Coordinator for further assistance with child exploitation investigations and 
cases. 



^ ^Of course, the reality that agents legally may retain hardware for an extended period of time does not preclude agents from 
agreeing to requests from defense counsel for return of seized hardware and files. In several cases, agents have offered 
suspects electronic copies of innocent files with financial or personal value that were stored on seized computers. If suspects 
can show a legitimate need for access to seized files or hardware and the agents can comply with suspects' requests without 
either jeopardizing the investigation or imposing prohibitive costs on the government, agents should not hesitate to offer their 
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assistance as a courtesy. 



^^This is true for two reasons. First, account holders may not retain a “reasonable expectation of privacy” in information sent 
to network providers because sending the information to the providers may constitute a disclosure under the principles of 
United States v. Miller . 425 U.S. 435 (1976), and Smith v. Maryland . 442 U.S. 735 (1979). See Chapter 1, Part B, Section 3 
(“Reasonable Expectation of Privacy and Third Party Possession”). Second, the Fourth Amendment generally permits the 
government to issue a subpoena compelling the disclosure of information and property even if it is protected by a Fourth 
Amendment “reasonable expectation of privacy.” When the government does not actually conduct the search for evidence, 
but instead merely obtains a court order that requires the recipient of the order to turn over evidence to the government 
within a specified period of time, the order complies with the Fourth Amendment so long as it is not overbroad, seeks 
relevant information, and is served in a legal manner. See United States v. Dionisio . 410 U.S. 1, 7-12 (1973); In re Horowitz . 
482 F.2d 72, 75-80 (2d Cir. 1973) (Friendly, J.). This analysis also applies when a suspect has stored materials remotely with 
a third party, and the government serves the third party with the subpoena. The cases indicate that so long as the third party 
is in possession of the target’s materials, the government may subpoena the materials from the third party without first 
obtaining a warrant based on probable cause, even if it would need a warrant to execute a search directly. See United States 
V. Barr . 605 F. Supp. 1 14, 1 19 (S.D.N.Y. 1985) (subpoena served on private third-party mail service for the defendant’s 
undelivered mail in the third party ’s possession); United States v. Schwimmer . 232 F.2d 855, 861 (8th Cir. 1956) (subpoena 
served on third-party storage facility for the defendant’s private papers in the third party’s possession); Newfield v. Rvan . 91 
F.2d 700, 702-05 (5th Cir. 1937) (subpoena served on telegraph company for copies of defendants’ telegrams in the telegraph 
company’s possession). 



^^In this regard, as in several others, ECPA mirrors the Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq. (“RFPA”). 
See generally Organizacion .ID Ltda. v. United States Department of Justice . 124 F.3d 354, 360 (2d Cir. 1997) (noting that 
“Congress modeled . . . ECPA after the RFPA,” and looking to the RFPA for guidance on how to interpret “customer and 
subscriber” as used in ECPA); Tucker v. Waddell . 83 F.3d 688, 692 (4th Cir. 1996) (examining the RFPA in order to construe 
ECPA). The courts have uniformly refused to read a statutory suppression remedy into the analogous provision of the 
RFPA. See United States v. Kington. 801 F.2d 733, 737 (5th Cir. 1986); United States v. Frazin. 780 F.2d 1461, 1466 (9th 
Cir. 1986) (“Had Congress intended to authorize a suppression remedy [for violations of the RFPA], it surely would have 
included it among the remedies it expressly authorized.”). 



^“^For example, the opinion contains several statements about ECPA’s requirements that are inconsistent with each other and 
individually incorrect. At one point, the opinion states that ECPA required the Navy either to obtain a search warrant 
ordering AOL to disclose McVeigh’s identity, or else give prior notice to McVeigh and then use a subpoena or a § 2703(d) 
court order. See 983 F. Supp. at 219. On the next page, the opinion states that the Navy needed to obtain a search warrant to 
obtain McVeigh’s name from AOL. See id . at 220. Both statements are incorrect. Pursuant to 18 U.S.C. § 2703(c)(1)(C), 
the Navy could have obtained McVeigh’s name properly with a subpoena, and did not need to give notice of the subpoena to 
McVeigh. 



^^Prohibited “use” and “disclosure” are beyond the scope of this manual. 



^®State surveillance laws may differ. Some states forbid the interception of communications unless all parties consent. 

I’^The final clause of § 251 l(2)(a)(i), which prohibits public telephone companies from conducting “service observing or 
random monitoring” unrelated to quality control, limits random monitoring by phone companies to interception designed to 
ensure that the company’s equipment is in good working order. See 1 James G. Carr, The Law of Electronic Surveillance . § 
3.3(f), at 3-75. This clause has no application to non-voice computer network transmissions. 



i^Unlike other Title III exceptions, the extension telephone exception is technically a limit on the statutory definition of 
“intercept.” See 18 U.S.C. § 25 10(4)-(5). However, the provision acts just like other exceptions to Title III monitoring that 
authorize interception in certain circumstances. 
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